I am doing some CTF and stumbled upon a problem with Hydra when trying to use it towards a post request.
I allready know how to solve this, but I am having truble with Hydra.
Intecepted from burp
POST /administrator/index.php HTTP/1.1
Host: 10.10.10.126
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.126/administrator/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Connection: close
Cookie: eaa83fe8b963ab08ce9ab7d4a798de05=0mvnlo2q2792fi1rortceo4or3; 2b01af51830ca9615359108de04d9ca1=bpsnvqrm2mf6hc5akvnr8ftdu1
Upgrade-Insecure-Requests: 1
username=admin&passwd=test&option=com_login&task=login&return=aW5kZXgucGhw&71800a4b802098aac7f3bbd7e49a8665=1
I've been googling a lot and tried several different things without success.
What I did was the following:
hydra -l jonah -P test.txt 10.10.10.126 http-post-form "/administrator/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login&return=aW5kZXgucGhw&97f7e29809c1606df34ec3df81b10860=1:S=Warning:H=Cookie: eaa83fe8b963ab08ce9ab7d4a798de05=0mvnlo2q2792fi1rortceo4or3; 2b01af51830ca9615359108de04d9ca1=bpsnvqrm2mf6hc5akvnr8ftdu1"
-j is the correct username and
-P test.txt contains the correct password
Could someone tell me what is wrong with my request, and why it doesnt succeed?
There is a bug with version 9.1 of hydra and it won't send a request if you give it a cookie. 9.1 is the version that is packaged with kali still, so you need to upgrade your hydra and it should fix the issue.
Try using like this and replace <IncoorectVerbiage> with something like "invalid password".
hydra -l jonah -P test.txt 10.10.10.126 http-post-form "/administrator/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login&return=aW5kZXgucGhw&97f7e29809c1606df34ec3df81b10860=1:<IncorrectVerbiage>"
Related
We are using the API of Active Collab v5, which works quite good.
Unfortunately, we are not able to attach a successfully uploaded file to an existing task. We tried several different ways, but never suceeded.
The one way we believe should work, is shown here:
PUT https://<DOMAIN>/api/v1/projects/<PROJECTID>/tasks/<TASKID>
Accept: */*
X-Angie-AuthApiToken: <TOKEN>
Content-Type: text/plain
Accept-Language: en-us
Accept-Encoding: gzip, deflate
{
"attach_uploaded_files": [
"<CODE>"
]
}
Content-Type: application/json; charset=utf-8
X-Angie-ApplicationVersion: 5.11.23
Pragma: no-cache
Server: Apache
Content-Encoding: gzip
Vary: Accept-Encoding
{"single":{"id":<TASKID>,"class":"Task","url_path":"\/projects\/<PROJECTID>\/ tasks\/
<TASKID>","name":"<TASKNAME>","assignee_id":0,"delegated_by_id":0,
" completed_on":null,"completed_by_id":null,"is_completed":false,"comments_count": 0,
"attachments":[],"labels":[],"is_trashed":false,"trashed_on":null," trashed_by_id":0,
"project_id":<PROJECTID>,"is_hidden_from_clients":false,"body":"<BODYTEXT >",
"body_formatted":"<BODYTEXT>","created_on":1481044542,"created_by_id":20,
" updated_on":1481052449,"updated_by_id":20,"task_number":258,"task_list_id":<TLID> ,
"position":17,"is_important":false,"start_on":null,"due_on":null,"estimate":0,
" job_type_id":0,"total_subtasks":0,"completed_subtasks":0,"open_subtasks":0,
" created_from_recurring_task_id":0},"subscribers":[20],"comments":[],"reminders": [],
"subtasks":[],"task_list":{"id":<TLID>,"class":"TaskList",
"url_path":"\/ projects\/<PROJECTID>\/task-lists\/<TLID>","name":"Inbox",
"is_trashed":false,"trashed_on": null,"trashed_by_id":0,"completed_on":null,
"completed_by_id":null,"is_completed" :false,"project_id":8,"created_on":1480605343,
"created_by_id":20,"updated_on": 1481052420,"updated_by_id":20,"start_on":null,
"due_on":null,"position":1," open_tasks":1,"completed_tasks":44},"tracked_time":0,
"tracked_expenses":0}
We always get a 200 OK, but the file remains unattached.
Can someone please tell us what we are doing wrong?
Thank you for your support and best regards.
Lukas.
Everything looks fine except the "Content-Type" header of your request.
Since you are sending a JSON encoded body to the API you need to set the request header to
"Content-type: application/json; charset=utf-8".
cheers
Nick
Hi I'm trying to do a SQL injection in a login form.
With BurpSuite I intercept the request:
POST /xxxx/web/Login HTTP/1.1
Host: 10.0.0.70:42020
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: application/json, text/plain, */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Referer: http://xxxxxx.com/xxxxxx/
Content-Length: 44
origin: http://xxxxx.com
Connection: close
{"username”:"user",”password”:"pass"}
using:
sqlmap -u requestFile
(where requestFile is the content of the request intercepted with Burp)
sqlmap can't find the injectable field that is password.
I'm sure that's it's injectable cause if as password I input:
' OR 1=1; -- -
I can login with every username I insert
Tried also with:
{"username”:*,”password”:*}
but no luck.
What I'm doing wrong?
Example:
POST / HTTP/1.1
Host: www.example.com
{"username":"*", "password":"*"}
Saved as sqlrequest.txt
Can then initiate a test using this command:
py sqlmap.py -r sqlrequest.txt --level=5 risk=3 --force-ssl
You should then receive a prompt that a custom injection marker is found and that JSON data found in POST body. Process both and then you are good to go.
Sources:
https://security.stackexchange.com/a/150506/67046
https://security.stackexchange.com/a/51862/67046
sqlmap -u URL
sqlmap -r requestFile
Tutorial on how to use request
check this video
I need to configure Burp Suite to intercept data between web browser and proxy server. The proxy server requires a basic authentication (Username & Password) while connecting for the first time in each session. I have tried the 'Redirect to host' option in Burp Suite(Entered the proxy server address and port in the fields):
Proxy >> Options >> Proxy Listeners >> Request Handling
But I can't see an option to use the authentication that is required while connecting to this proxy server.
While accessing google.com, the request headers are:
GET / HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (X11; Linux i686) KHTML/4.13.3 (like Gecko) Konqueror/4.13
Accept: text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8
Accept-Encoding: gzip, deflate, x-gzip, x-deflate
Accept-Charset: utf-8,*;q=0.5
Accept-Language: en-US,en;q=0.9
Connection: close
And the response is:
HTTP/1.1 400 Bad Request
Server: squid/3.3.8
Mime-Version: 1.0
Date: Thu, 10 Mar 2016 15:14:12 GMT
Content-Type: text/html
Content-Length: 3163
X-Squid-Error: ERR_INVALID_URL 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from proxy.abc.in
X-Cache-Lookup: NONE from proxy.abc.in:3343
Via: 1.1 proxy.abc.in (squid/3.3.8)
Connection: close
you were on the right track, just at the wrong place. You need to setup an upstream proxy at:
Options>>Connections>>Upstream proxy
There you can also setup the authentication
Options>>Connections>>Platform authentication
Here you can create different auth configurations, which will be done if the server requests it.
I'm totally new to WIF and to start playing with it a bit I tried the simplest "f5 experience" with an MVC4 application; according to the tutorials I found, which sadly for the most part refer to releases before .net 4.5, I should just create an MVC app, configure it with the identity and access tool and hit f5 to get up and running with local STS. Yet, I'm probably missing something obvious because when I try to access a restricted page I always end bumped back to the homepage.
Here is what I did, you can easily repro the issue with these steps (VS2012 in Win8 with WIF SDK; ensure to launch VS with admin rights):
create a new ASP.NET MVC4 Internet application. Set its port to 7777 (just picking the port number used in most code samples for the sake of commodity).
update all the NuGet packages (this is optional).
right click the solution, choose identity and access and set the IP=local STS, then click OK. Then reopen the identity and access popup, and choose generate a controller, then click OK.
add an [Authorize] attribute to the About action of the Home controller.
hit F5 and click the About link. As expected, the login view appears, prompting me to login: the only option is of course localSTS. When I click it, I am returned to the homepage and no authentication occurs. I can repeat the process, but nothing changes, so I can never access the secured About page.
The link underlying the localSTS anchor is:
http://localhost:14743/wsFederationSTS/Issue?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a7777%2f&wctx=rm%3d0%26id%3d664ff3c2-95b1-40b3-b538-a8357233ea7e%26ru%3dhttp%253a%252f%252flocalhost%253a7777%252f&wct=2013-03-10T13%3a39%3a32Z
AFAIK, its parameters look OK.
If I examine the network traffic, I cannot see any relevant item (if I understand well, I would expect a response setting some cookies for the current session, representing the IClaimsPrincipal).
(BTW, by looking at the web.config, I can see that in modules WSFederationAuthenticationModule is referenced from System.Identity.Services, which is NOT included in the solution after configuring Identity and access; I suppose this is a bug in the tool. Anyway I added a reference to it, but nothing changed.)
Update
Thank you for the reply! If I examine the traffic, here are the relevant GET/POSTs. I get no cookie. I tried recreating the whole test solution, even skipping step #2 above to keep it minimal, but nothing changed.
As for your suggestion #2, I tried to add in global asax:
FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated
+= (sender, e) => FederatedAuthentication.SessionAuthenticationModule.IsReferenceMode = true;
but the SessionAuthenticationModule is null at the time this code executes and thus a corresponding exception is thrown. I cannot find up-to-date code samples or articles about this, yet WIF seems a very promising tech; I'd like it to be easy for security newbies like me; my main purpose is applying it to a site providing both MVC controllers and WebApi controllers, to a wide range of consumers (JS code, mobile apps, WinRT apps, the site pages themselves...). Any suggestion?
(1) a GET which gets 307, temporary redirect
GET /wsFederationSTS/Issue?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a7777%2f&wctx=rm%3d0%26id%3d664ff3c2-95b1-40b3-b538-a8357233ea7e%26ru%3dhttp%253a%252f%252flocalhost%253a7777%252f&wct=2013-03-10T13%3a39%3a32Z HTTP/1.1
Host: localhost:14743
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.160 Safari/537.22
Referer: http://localhost:7777/HrdAuthentication/Login?ReturnUrl=%2fHome%2fAbout
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie:
(2) GET with signin request:
GET /wsFederationSTS/Issue/?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a7777%2f&wctx=rm%3d0%26id%3d664ff3c2-95b1-40b3-b538-a8357233ea7e%26ru%3dhttp%253a%252f%252flocalhost%253a7777%252f&wct=2013-03-10T13%3a39%3a32Z HTTP/1.1
Host: localhost:14743
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.160 Safari/537.22
Referer: http://localhost:7777/HrdAuthentication/Login?ReturnUrl=%2fHome%2fAbout
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie:
(3) a POST to the homepage: the respone is of course the homepage content; no cookies set.
POST / HTTP/1.1
Host: localhost:7777
Connection: keep-alive
Content-Length: 7063
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://localhost:14743
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.160 Safari/537.22
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:14743/wsFederationSTS/Issue/?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a7777%2f&wctx=rm%3d0%26id%3d664ff3c2-95b1-40b3-b538-a8357233ea7e%26ru%3dhttp%253a%252f%252flocalhost%253a7777%252f&wct=2013-03-10T13%3a39%3a32Z
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie:
A working variation
I found a way for letting it work, maybe this can be useful to someone else: if you follow the above procedure without changing from the local IIS server to the VS development server, it seems it's working and I'm still redirected to the Home page (I wonder why:), but as an authenticated user; at this point, I can click the About link again to effectively enter the page.
I reproduce your steps and everything worked. Chrome debugger show that you must have two steps:
GET http://localhost:12263/wsFederationSTS/Issue/?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a54306%2f&wctx=rm%3d0%26id%3dc6e46b99-417b-49b6-96a0-40efcead898f%26ru%3dhttp%253a%252f%252flocalhost%253a54306%252f&wct=2013-03-10T18%3a14%3a19Z
POST http://localhost:54306/ with wa:wsignin1.0 and wresult:trust:RequestSecurityTokenResponseCollection
Result of POST is Set-Cookie named FedAuth and FedAuth1. Cookie is split because of cookie size limit.
Please check this in debugger.
p.s. Once i saw a same behavior - cookie is not set normally. Problem was in cookie size and solved by switching to ReferenceMode. Don't forget to to register it in Application_Start:
FederatedAuthentication.WSFederationAuthenticationModule.SessionSecurityTokenCreated
+= this.WSFederationAuthenticationModule_SessionSecurityTokenCreated;
I'm currently trying to connect to a webservice placed on https://xxx.xxx.xx/myapp
It has anonymous access and SSL enabled for testing purposes atm.
While trying to connect from the 3G network, i get Status 403: Access denied. You do not have permission to view this directory or page using the credentials that you supplied.
I get these headers while trying to connect to the webservice locally:
Headers
Request URL:https://xxx.xxx.xx/myapp
Request Method:GET
Status Code:200 OK
Request Headers
GET /myapp/ HTTP/1.1
Host: xxx.xxx.xxx
Connection: keep-alive
Authorization: Basic amViZTAyOlE3ZSVNNHNB
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response Headers
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 16 Feb 2012 12:26:13 GMT
Content-Length: 622
But when accessing outside the local area, we get the big ol 403. Which in turn wants credentials to grant the user access to the webservice.
However, i've tried using the ASIHTTPRequest library without success, and that project has been abandoned. And they suggest going back to NSURLConnection.
And i have no clue where to start, not even which direction to take.
-connection:(connection *)connection didRecieveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
The above delegate method of NSURLConnection doesnt even trigger. So i have no idea what so ever how to authenticate myself.
All i get is the parsed results of the xml elements of the 403-page.
I needs dem seriouz helps! plx.
This was all just a major f-up.
The site had ssl required and enabled, and setting ssl required for the virtual directories does some kind of superduper meta-blocking.
So, by disabling ssl required for the virtual directories, it runs over ssl and is not blocking 3G access..