Penetration Testing with Kali Linux OffSec


sudo cp /home/kali/Downloads/http-vuln-cve-2021-41773.nse


səhifə107/132
tarix21.12.2023
ölçüsü
#187693
1   ...   103   104   105   106   107   108   109   110   ...   132
PEN-200

sudo cp /home/kali/Downloads/http-vuln-cve-2021-41773.nse 
/usr/share/nmap/scripts/http-vuln-cve2021-41773.nse
kali@kali:~$ 
sudo nmap --script-updatedb
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) 
NSE: Updating rule database. 
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.54 seconds 
Listing 96 - Copy the NSE Script and update the script.db database 
To use the NSE script, we’ll provide the name of the script, target information, and port number. 
We’ll also enable service detection. 
kali@kali:~$ 
sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" 192.168.50.124
Starting Nmap 7.92 ( https://nmap.org ) 
Host is up (0.00069s latency). 
PORT STATE SERVICE VERSION 
443/tcp open http Apache httpd 2.4.49 ((Unix)) 

http-vuln-cve2021-41773:
| VULNERABLE: 
| Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 
|
State: VULNERABLE
| A flaw was found in a change made to path normalization in Apache HTTP 
Server 2.4.49. An attacker could use a path traversal attack to map URLs to files 
outside the expected document root. If files outside of the document root are not 
protected by "require all denied" these requests can succeed. Additionally this flaw 
340
(GitHub, 2021), https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve-2021-41773.nse 


Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
198 
could leak the source of interpreted files like CGI scripts. This issue is known to be 
exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. 
|
| Disclosure date: 2021-10-05 
| Check results: 
|
| Verify arbitrary file read: https://192.168.50.124:443/cgi-
bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd 
... 
Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds 
Listing 97 - CVE-2021-41773 NSE Script 
The output indicates that the target is vulnerable to CVE-2021-41773 and provides us with 
additional background information. 
While Nmap is not a vulnerability scanner in the traditional sense, we found that the NSE is a 
powerful feature that allows us to do lightweight vulnerability scanning. In a penetration test, we 
can use Nmap when there isn’t a full-fledged vulnerability scanner available or when we want to 
verify findings from other tools. 
However, we have the same factors to consider as with any other vulnerability scanner. The NSE 
script categories can provide useful information, such as if a script is intrusive or safe, but we 
also need to keep in mind that an NSE script may contain malicious code that gives an attacker 
full access to our system. For that reason, we always need to verify that the NSE script not only 
provides the needed functionality, but is also safe. 
7.4
Wrapping Up 
This Module has provided an overview of vulnerability scanning with Nessus and Nmap, and it 
provided insight into the different types and considerations of a vulnerability scan. 
Vulnerability scanning can be extremely helpful during any kind of security assessment. 
Configured correctly, vulnerability scanning tools provide a wealth of meaningful data. It is 
important for us to understand that a manual review of the results is still required and that 
scanners can only discover vulnerabilities that they are configured for. Finally, we should always 
keep in mind that vulnerability scanning tools can perform actions that could be detrimental to 
some networks or targets, so we must exercise caution when using them. 


Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
199 
8
Introduction to Web Application Attacks 
In this Learning Module, we will cover the following Learning Units: 

Web Application Assessment Methodology 

Web Application Enumeration 

Cross-Site Scripting 
In this Module, we’ll begin introducing web application attacks. Modern development frameworks 
and hosting solutions have simplified the process of building and deploying web-based 
applications. However, these applications usually expose a large attack surface due to multiple 
dependencies, insecure server configurations, a lack of mature application code, and business-
specific application flaws. 
Web applications are written using a variety of programming languages and frameworks, each of 
which can introduce specific types of vulnerabilities. Since the most common vulnerabilities are 
alike in concept and the various frameworks behave similarly regardless of the underlying 
technology stack, we’ll be able to follow similar exploitation avenues. 
8.1
Web Application Assessment Methodology 
This Learning Unit covers the following Learning Objectives: 

Understand web application security testing requirements 

Learn different types and methodologies of web application testing 

Learn about the OWASP Top10 and most common web vulnerabilities 
Before we begin discussing enumeration and exploitation, let’s examine the different web 
application penetration testing methodologies. 
As a penetration tester, we can assess a web application using three different methods, 
depending on the kind of information we have been provided, the scope, and the particular 
engagement rules. 
White-box
testing describes scenarios in which we have unconstrained access to the application’s 
source code, the infrastructure it resides on, and its design documentation. Because this type of 
testing gives us a more comprehensive view of the application, it requires a specific skill set to 
find vulnerabilities in source code. The skills required for white-box testing include source code 
and application logic review, among others. This testing methodology might take a longer time, 
relative to the size of the code base being reviewed. 
Alternatively, 
black-box
testing (also known as a 
zero-knowledge
test) provides no information 
about the target application, meaning it’s essential for the tester to invest significant resources 
into the enumeration stage. This is the approach taken during most bug bounty engagements. 


Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 
200 
Grey-box testing occurs whenever we are provided with limited information on 
the target’s scope, including authentication methods, credentials, or details about 
the framework. 
In this Module, we are going to focus on black-box testing to help develop the web application 
skills we are learning in this course. 
In this and the following Modules, we will explore web application vulnerability enumeration and 
exploitation. Although the complexity of vulnerabilities and attacks varies, we’ll demonstrate 
exploiting several common web application vulnerabilities in the OWASP Top 10 list.
341
The OWASP Foundation aims to improve global software security and, as part of this goal, they 
develop the OWASP Top 10, a periodically-compiled list of the most critical security risks to web 
applications. 
Understanding these attack vectors will serve as the basic building blocks to construct more 
advanced attacks, as we’ll learn in other Modules. 
8.2
Web Application Assessment Tools 
This Learning Unit covers the following Learning Objectives: 

Perform common enumeration techniques on web applications 

Understand Web Proxies theory 

Learn how Burp Suite proxy works for web application testing 
Before going into the details of web application enumeration, let’s familiarize ourselves with the 
tools of the trade. In this Learning Unit, we are going to revisit Nmap for web services 
enumeration, along with Wappalyzer, an online service that discloses the technology stack behind 
an application, and Gobuster, a tool for performing file and web directory discovery. Lastly, we are 
going to focus on the Burp Suite proxy, which we’ll rely on heavily for web application testing 
during this and upcoming Modules. 
8.2.1
Fingerprinting Web Servers with Nmap 
As covered in a previous Module, Nmap is the go-to tool for initial active enumeration. We should 
start web application enumeration from its core component, the web server, since this is the 
common denominator of any web application that exposes its services. 
Since we found port 80 open on our target, we can proceed with service discovery. To get started, 
we’ll rely on the nmap service scan (-sV) to grab the web server (-p80) banner. 
kali@kali:~$ 

Yüklə

Dostları ilə paylaş:
1   ...   103   104   105   106   107   108   109   110   ...   132




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin