Tuesday, April 7, 2015

OWASP Broken Web Apps - GetBoo Walkthrough

Here is a quick walk through of GetBoo.  The first item that I found was you can harvest the usernames of the existing users that are registered.  First click on the register link in the upper-right area of the screen:



Though the window pops up for only a few seconds you can capture the URL in a proxy.  Then by clicking the availability link then the URL comes up as follows:

http://172.16.102.135/getboo/checkUsername.php?usernameToCheck=test

Doing a quick check with sqlmap and placing a single apostrophe does not detect sql injection but it still could exist.  However I noticed you can use OWASP-Zap and fuzz the username field.  After loading ZAP and accessing that URL you see the following:



Now you can highlight test on the first line and then right-click and select Fuzz.  Then if you have created a username list you can select it and begin fuzzing.  Then by looking at the results below we can derive a few things:

If you observe the size of the response from the webserver for the username bob+ you find the message of an "Incorrect Username Format is used", then for the size of 560 you find that the username is available, and then with the size of 563 this is a username that is being used.  From this we can derive through brute force the usernames using the site.  From this list you could then brute-force passwords also.

The next vulnerability is I wanted to test the registration of a user to see if it is vulnerable to sql injection.  The following command I executed to test the POST parameters for sql injection:

sqlmap -u "http://172.16.102.135/getboo/newuser.php" --data "aname=test2&pass=test2&pass2=test2&email=test2%40test2.com&hint=test2&captcha=GSWNI&email2=&submitted=Register"

This did not work so I began testing other POST locations for parameters.  Due to the email not being setup I went to the "Forgot Password" page.  I ran sqlmap again with those POST parameters as shown below:

sqlmap -u "http://172.16.102.135/getboo/forgotpass.php" --data="aname=test2&email=test2%40test2.com&submitted=Hint+question"

This came back with results showing that this is vulnerable to SQL Injection.

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...