In this Web exploit toolkit guide, we provide you with a handy dictionary of Web exploit toolkits and their application, which have not already been covered in previous BackTrack 5 tutorials. This tip is meant as a comprehensive compendium for Web application security enthusiasts.
With Web application security becoming a major concern in recent times, various Web exploit toolkits have been developed for vulnerability assessment. BackTrack 5 comes with a set of very good Web exploitation toolkits such as darkMySQLi, fimap, sqlmap, padbuster, asp-auditor, sqlbrute, sqlninja, sslstrip, w3af console/Gui, websecurity, XSSer. Of these we have covered darkMySQLi, fimap, SQLmap and XSSer in this quick reference guide.
These Web exploit toolkits can be used to scan websites and also exploit applications. A few of the Web exploit toolkits are for exploiting a particular type of Web-based vulnerability. For instance, xsser helps discover xss vulnerabilities, darkmysqli is meant for SQL injection, and fimap is for LFI/RFI vulnerabilities. This article describes these tools and their usage during vulnerability assessment and penetration testing. Note that each Web exploit toolkit has myriad options, but we will discuss only the usage of the tools and the basic commands.
SQL injection is right at the top of the OWASP Top 10 security risks, and is considered to be one of the most common vulnerabilities in Web applications to be exploited and used by attackers to compromise servers and facilitate stealing of data, installation of backdoors in the network, and such like.
darkMySQLi.py is a multipurpose MySQL injection tool and one of the best Web exploit toolkits. This tool reduces the time to find BlindSql or SQL injection while performing a penetration test. It offers various parameters to make the injection easier. The usage is as follows:
wo0t@bt:/pentest/web/darkmysqli# python DarkMySQLi.py --help
The above command will provide information about various parameters in darkMySQL
wo0t@bt:/pentest/web/darkmysqli# python DarkMySQLi.py -u http://www.example.com/index.php?id=32+AND+1=2+UNION+ALL+SELECT+1,keyword,3,4,5,6,7,8,9,10-- --full
Here -u defines the URL and --full is used to dump as much information as possible
Once the necessary parameters are added, press enter to see the results, which will include information on number of rows, database name, database version, column names, table names and so on.
Once all the data has been extracted, specific data can be obtained by editing the URL in the browser. For example for viewing the username from userlist, the URL would be as follows:
A proxy can also be used while performing sqli in this tool by using the parameter --proxy=Proxy
The Fimap Web exploit toolkit is written in Python and can be used to find, prepare, audit, exploit and even search automatically (via Google) for local and remote file inclusion bugs in Web applications. This Web exploit toolkit is getting better, as more modules and features keep getting added on. Fimap Web exploit toolkit also allows for introduction of user-generated payloads.
The usage is as follows:
wo0t@bt:~$ fimap -u http://www.example.com/index.php?inc=index.php
The parameter -u defines the target URL. To scan a list of URLs from a text file, the command would be:
Wo0t@bt:~$ fimap -m -l '/tmp/urlscan.txt'
The parameter -m indicates mass scanning and –l is for list.
To scan websites using Google dorks, the usage is:
.fimap.py -g -q 'inurl:include.php'
Here -g is the parameter for searching with Google and -q stands for the query to be searched for in Google.
Fimap can exploit a vulnerable target and can also upload an interactive shell for further exploitation.
This is another Web exploit toolkit tool for sqlinjection. The usage of all these Web exploit toolkits is more or less the same, but with small variations.
The command for obtaining help is:
wo0t@bt:/pentest/database/sqlmap# python sqlmap.py --help
Usage is as follows:
python sqlmap.py [options]
wo0t@bt:/pentest/database/sqlmap# python sqlmap.py -u http://example.com/path/index.php?CategoryID=2 -f
The parameter -u returns the URL and -f is used to perform fingerprinting on the specified URL.
wo0t@bt:/pentest/database/sqlmap# python sqlmap.py -u http://example.com/path/index.php?CategoryID=2 -b
The parameter -b is used for grabbing the banner of the specified URL. Once the banner has been grabbed, the version of the database is known. The next step would be obtaining the username and password. We can also try to dump the passwords in the database using the following commands:
wo0t@bt:/pentest/database/sqlmap# python sqlmap.py -u http://example.com/path/index.php?CategoryID=2 --current-user
--current-user is used to find which user we are authenticated as.
wo0t@bt:/pentest/database/sqlmap# python sqlmap.py -u http://example.com/path/index.php?CategoryID=2 --users
wo0t@bt:/pentest/database/sqlmap# python sqlmap.py -u http://example.com/path/index.php?CategoryID=2 --passwords
The above command will dump all the passwords.
Cross-site “scripter” (XSSer) is an automatic framework to detect, exploit and report XSS vulnerabilities. It contains several options to try to bypass certain filters, and various special techniques of code injection. This Web exploit toolkit also offers a GUI version.
Wo0t@bt:/pentest/web/xsser# python XSSer.py -u “http://www.example.com” -g “Search.asp?tfSearch=” –proxy “http://127.0.0.1:8118″–referer“666.666.666.666″–user-agent "correctaudit”
This Web exploit toolkit tool provides information such as URL, attack URL, browsers and method of attack. Once the vulnerable URL is detected, access the specified page and check it in the browser.
XSSer Web exploit toolkit is one of the best automated Web exploit toolkits for checking cross-site scripting bugs in Web applications.
You can subscribe to our twitter feed at @SearchSecIN
This was first published in November 2011