Yearly Archives: 2013


Nikto – Open Source Web Server Scanner

Nikto is a crucial part of any web penetration test. It sits firmly in both the ‘web application audit’ and ‘web server audit’ camps. Nikto will comprehensively test web servers for a whole range of items. Tests include the presence of dangerous files and CGIs, outdated versions of web server software and specific configuration problems with web servers. So whether you have an open WebDAV setup, outdated Joomla installations or phpinfo test development files lying around – expect Nikto to find them. Nikto publishes regular updates, and so to fetch the latest definitions, just use: ./ -update Once we have the latest version, we can go ahead and run a scan with: ./nikto -host […]

By | December 12th, 2013|Security Consultant|0 Comments

Blind SQL injection with sqlmap

When an SQL injection vulnerability is attacked, the application will often display error messages from the database. We are able to retrieve the data we are trying to retrieve from the database by constructing a query that ensures it ends up in the error message passed back to us. This is the method we used in the previous SQL injection example. This is a very quick and efficient way of mining data through SQL injection vulnerabilities. Sometimes, code is constructed in a way that whilst it is vulnerable to injection, it’s not possible to get the data we want returned by the database. Consider the following code – <?php $link = mysql_connect("localhost", "twl", "XXXX"); mysql_select_db("twl"); $sql = "SELECT * FROM wp_posts WHERE ID=’" . $_GET[‘id’] . "’;"; $res = @mysql_query($sql); if (@mysql_numrows($res)) { echo "We have rows!\n"; } else { echo "We have no rows.\n"; } ?> […]

By | December 11th, 2013|Security Consultant|0 Comments

SQL injection with sqlmap

sqlmap is web application & database penetration testing tool that automates detecting and exploiting many types of SQL injection flaw, and then taking over the database server. It’s able to detect a huge range of injection types. Let’s take the following code – <?php $link = mysql_connect("localhost", "twl", "XXXX"); mysql_select_db("twl"); echo "This is a page\n"; $sql = "SELECT * FROM wp_posts WHERE ID=’" . $_GET[‘id’] . "’;"; $res = mysql_query($sql); mysql_free_result($res); echo "This is some text\n"; mysql_close($link); ?> […]

By | December 10th, 2013|Security Consultant|0 Comments

wfuzz – Powerful web asset bruteforcer and vulnerability detector

Brute-forcing is a powerful technique for detecting hidden or mis-configured assets on web servers. One of the most common issues I come across when pen testing web services is temporary, old or other development files left lying around. Most pen testers I speak to rely on ‘dirb’ as the standard tool for web application directory brute-forcing. dirb is a great tool, although I’ve always favored wfuzz. I’ve found it to be faster and far more configurable. Using wfuzz, we can specify exactly what part of a URL to fuzz. Here are a couple of examples – wfuzz also allows us to filter matches based on web server response code, as well as number of lines, size of response, and text matched within the response. […]

By | December 9th, 2013|Security Consultant|0 Comments

Enumerating and Hacking NFS

Network File System (NFS) is used to share files and directories over the network through ‘exports’. When a client wants to gain access to a share on the remote server, the client will firstly attempt to mount the share. The list of allowed clients per share is located in /etc/exports on the server. The problem with this approach is that the only credential for access is the client’s IP address. If a trusted machine is taken over or otherwise spoofed, the attacker has full access to the share. All versions of NFS prior to version 4 utilize this same security model. The next issue to take into account is that wildcard ‘*s’ are permitted within the exports file. Site administrators often use wildcards without thinking through the implications to allow a range of hosts access to a share. Future changes to the network or network breaches may allow a user access to a share that the administrator had not intended. […]

By | December 4th, 2013|Networking|0 Comments

Location header is optional not mandatory

I thought I’d write a short post about this issue as I’ve seen it come up a couple of times in PHP code audits. The incorrect assumption is that the Location header somehow forces a browser or forces execution to move elsewhere. Take a look at the following code sample – <?php $logged_in = 0; /* Do login verification routine here */ if (!$logged_in) { /* User is not logged in and shouldn’t be here */ header("Location: /index.php"); } /* User is logged in */ echo "Secret Member Content"; ?> […]

By | September 13th, 2013|PHP, Security Consultant|0 Comments

mysql_real_escape_string won’t magically solve your SQL Injection problems

Edited: 5th Oct 2014 after bug fixing and reader feedback Edited: 6th Oct 2014 after reader feedback I was engaged by an online retailer to test their custom web application CMS and store. I attended their premises and sat down with the tech manager and his lead developer to discuss with them from both a business management and a technical perspective some of the vulnerabilities that should be tested for, as well as to gain a solid understanding of the business needs and logic. When I came on to SQL injection, I was assured by the lead developer that owing to their secure coding practices, SQL injection is completely impossible. All expected user entered integers are cast as integers, and all expected user entered strings are run through mysql_real_escape_string before being passed back to the database. Once code is committed by a developer to the development Subversion server, the lead developer then manually reviews it before deciding to push it live. Great, I thought, it’s certainly a good start. I did point out that this might not always work, but he didn’t seem too phased, and I didn’t want to get too much into a discussion about why or when that might not always work at that stage. […]

By | August 18th, 2013|MySQL, PHP, Security Consultant|13 Comments

SNMP Network Attacks

Neither SNMPv1 and SNMPv2c have any security beyond a plaintext community string. The default community strings for read and write access are ‘public’ and ‘private’ respectively. Some Cisco devices use ‘ilmi’ as the default community string. We can use the tool ‘onesixytyone’ to attempt to brute force the name of the community string from a dictionary: root@pwn:/pentest/enumeration/snmp/onesixtyone# ./onesixtyone -c dict.txt Scanning 1 hosts, 51 communities Cant open hosts file, scanning single host: [public] Linux dev1 2.6.32-5-686 #1 SMP Sun Sep 23 09:49:36 UTC 2012 i686 The community string was successfully brute forced, and is set to the default, ‘public’. We can now use ‘’ to enumerate the host based on this information (some parts truncated to save space) […]

By | August 17th, 2013|Security Consultant|0 Comments

DNS Zone Transfer (AXFR) Vulnerability

A vulnerability exists when DNS servers are [mis]configured to allow for public zone transfers. A zone transfer is literally that – the transfer of an entire zone file, intended primarily for replication and availability between multiple DNS servers. A DNS zone transfer is attempted as follows: dig axfr <domain> @<DNS server> […]

By | August 16th, 2013|Security Consultant|2 Comments

PHP Local and Remote File Inclusion (LFI, RFI) Attacks

PHP supports the ability to ‘include’ or ‘require’ additional files within a script. If unsanitized data is passed to such functions, an attacker may be able to get remote code execution access to the server. A typical include block might look something like this: <?php require("config/"); require("lib/db.lib.php"); require("lib/parser.lib.php"); include("contrib/users/user.contrib.php"); die("This is a test"); ?> Now, it’s also possible to dynamically require or include files based on variables or user input, say for example: […]

By | August 15th, 2013|Linux, PHP, PHP, PHP Articles, Security Consultant|0 Comments