lOMoARcPSD|54026425

Shadowfox-vinaysharma-all

Electronics Telecommunication syllabus (Savitribai Phule Pune University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Suthram Raghu (suthramraghu@gmail.com)
 lOMoARcPSD|54026425

Task Level (Beginner):

BATCH : ShadowFox March B2 Cyber Security

Report Information:

Title: Security Assessment Report for http://testphp.vulnweb.com/

Date: 22 March, 2024

Prepared by: Vinay Sharma

Table of Content

S.NO S.NO Page No

Find all the ports that are open on the website

1 4
http://testphp.vulnweb.com/

Brute force the website http://testphp.vulnweb.com/

2 and find the 5
directories that are present in the website.

 Make a login in the website

http://testphp.vulnweb.com/ and intercept
3 the network traffic using wireshark and find the 9
credentials that were
transferred through the network.

LIST of Figures
Figure No Name Page No

1 Nmap scanning fig(1) 5

Task Level Beginner): 1

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

2 Dirbuster tool home panel 7

3 Dirbuster  Tree view ) result 1.0 8

4 Dirbuster  Tree view ) result 1.1 8

5 Wireshark Capturing network packets 1.0 10

6 Opening the target link in the browser 11

7 Wireshark Capturing network packets 1.2 12

8 View the detail of packet 6674.eth0 13

Introduction:
In the realm of cybersecurity, understanding and identifying vulnerabilities in web
applications is crucial for safeguarding against potential cyber threats. As part of
my internship task, I was tasked with performing various security assessments on
the website http://testphp.vulnweb.com/. These assessments included:

 Port Scanning:
The first task involved identifying all open ports on the target website. By
conducting a port scan, we aimed to uncover any potential entry points that
could be exploited by malicious actors to gain unauthorized access to the web
server.

 Directory Brute Forcing:

The second task entailed conducting a brute force attack to enumerate
directories present on the website. Through this process, we sought to
discover hidden or unprotected directories that could potentially contain
sensitive information or serve as avenues for further exploitation.

 Network Traffic Interception:

Lastly, we performed a network traffic interception by logging into the website
and capturing network packets using Wireshark. This allowed us to analyze
the data being transmitted between the client and server, with the objective of
identifying any credentials or sensitive information being transferred in
plaintext.

Task Level Beginner): 2

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Machine Information:

Target Website: http://testphp.vulnweb.com/

Description:
The target website,
http://testphp.vulnweb.com/, serves as a purposely vulnerable web application
designed for security testing and educational purposes. It contains various known
vulnerabilities, providing an ideal environment for conducting security
assessments and practicing penetration testing techniques.

Environment:
The assessments were conducted in a controlled environment using virtual
machines to ensure the safety and integrity of both the target website and the
testing infrastructure.

Tools Used:

 Nmap for port scanning

 Dirbuster for directory brute forcing

 Wireshark for network traffic interception

Scope:
The scope of the security assessments included identifying and exploiting
vulnerabilities present on the target website. Specifically, the tasks focused on
port scanning, directory brute forcing, and network traffic interception to assess
the website's security posture and uncover potential weaknesses.

Disclaimer:
It's important to note that all assessments were performed ethically and with
explicit permission from the website owner. The findings and recommendations

Task Level Beginner): 3

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

presented in this report are intended solely for educational and improvement
purposes and do not constitute any unauthorized or malicious activity.

 Find all the ports that are open on the website

http://testphp.vulnweb.com/

Now we are going to use kali Linux for whole testing purpose lets start with
Nmap to fine the open ports, here Nmap is tool calling command after that we
used verbosity mode to view the content while scanning ( -v ) .

now we used ( T4  to make scanning more faster and then our target

here in image you can see the output of our command .

kali@kali:~/Desktop/vinaysharma/task1$ nmap -v -T4 testphp.vulnw

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-22 08:09 E
Initiating Ping Scan at 08:09
Scanning testphp.vulnweb.com (44.228.249.3) [2 ports]
Completed Ping Scan at 08:09, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:09
Completed Parallel DNS resolution of 1 host. at 08:09, 0.01s ela
Initiating Connect Scan at 08:09
Scanning testphp.vulnweb.com (44.228.249.3) [1000 ports]
Discovered open port 80/tcp on 44.228.249.3
Completed Connect Scan at 08:09, 15.71s elapsed (1000 total port
Nmap scan report for testphp.vulnweb.com (44.228.249.3)
Host is up (0.27s latency).
rDNS record for 44.228.249.3: ec2-44-228-249-3.us-west-2.compute
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds

Task Level Beginner): 4

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Fig 1

Since here we have completed our scanning and hence we just found only one
port which is also known as port 80  http )

 Brute force the website http://testphp.vulnweb.com/ and find the

directories that are present in the website

DirBuster for Directory Brute Forcing:

DirBuster is a popular tool used in penetration testing and ethical hacking for
discovering hidden directories and files on web servers. It operates by sending
HTTP requests to a target web server and analyzing the server's responses to
identify existing directories and files. This process, known as directory brute
forcing, involves systematically attempting to access directories by trying various
combinations of common directory names and paths.

Using Custom Wordlists:

In addition to using built-in wordlists provided by tools like DirBuster, penetration

testers often utilize custom wordlists tailored to the specific target environment.

Task Level Beginner): 5

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

These wordlists may include common directory names, filenames, or other

relevant keywords likely to be present on the target website. By using a custom
wordlist, testers can increase the likelihood of discovering hidden directories and
files that may not be included in standard wordlists.

Medium Wordlist from Kali Linux:

Kali Linux, a popular operating system for penetration testing and ethical hacking,
includes a variety of wordlists located in the directory /usr/share/wordlists/ . Among
these wordlists is the "medium.txt" list, which contains a curated selection of
common words and phrases suitable for use in directory brute forcing and other
penetration testing activities. This wordlist provides a balance between coverage
and efficiency, making it a valuable resource for discovering directories on target
websites.

Obtaining 200 Results:

A successful directory brute forcing operation typically results in the discovery of

numerous directories and files present on the target web server. The number of
results obtained can vary depending on factors such as the size of the wordlist
used, the sensitivity of the target website, and the efficiency of the brute forcing
tool. In this case, achieving 200 results indicates a substantial number of
directories were successfully identified, highlighting the effectiveness of the
directory brute forcing process.

Fig 2

Task Level Beginner): 6

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

output

Fig 3

Task Level Beginner): 7

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Fig 4

Task Level Beginner): 8

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

 Make a login in the website http://testphp.vulneweb.com/ and intercept the

network traffic using Wireshark and find the credentials that were
transferred through the network

Wireshark for Network Traffic Interception:

Wireshark is a powerful network protocol analyzer widely used in

cybersecurity for capturing and analyzing network traffic in real-time. It allows
security professionals to inspect the data packets exchanged between a client
and server, providing valuable insights into the communication patterns,
protocols used, and potentially sensitive information transmitted over the
network.

Intercepting Network Traffic:

One of the primary functions of Wireshark is to intercept and capture network

traffic passing through a network interface. By placing Wireshark in
promiscuous mode, it can capture all packets traversing the network segment,
regardless of their intended destination. This capability enables security
analysts to monitor and analyze network communications, including HTTP
requests, responses, and any data transmitted in plaintext.

Analyzing Credentials:

During network traffic interception, Wireshark can capture sensitive

information such as login credentials, passwords, and session tokens
transmitted over unencrypted protocols like HTTP. By filtering captured
packets based on specific criteria (e.g., HTTP traffic), analysts can identify
packets containing authentication data and extract relevant credentials for
further analysis.

Using Filters:

Wireshark offers powerful filtering capabilities to focus on specific types of

traffic or packets of interest. Analysts can apply filters based on various
parameters such as source/destination IP addresses, port numbers, protocols,
and packet contents. This allows for targeted analysis and extraction of
relevant information from the captured network traffic.

Demonstrating Effectiveness:

Task Level Beginner): 9

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

The use of Wireshark for intercepting network traffic during the login process
of the target website demonstrated its effectiveness in capturing sensitive
information transmitted over the network. By analyzing the captured packets,
we were able to identify plaintext credentials exchanged between the client
and server, highlighting potential security vulnerabilities such as the
transmission of sensitive data without encryption.

Screenshot 1 Opening Wireshark

 Open Wireshark, a network protocol analyzer tool, to capture and analyze

network traffic.

Fig 5

Screenshot 2 Accessing the Website

 Navigate to the target website using a web browser.

 Proceed to the login page of the website.

Task Level Beginner): 10

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Fig 6

Screenshot 3 Logging In and Capturing Traffic

 Input random credentials into the login form.

 Click the login button to submit the form, initiating a POST request to the
server.

 Return to Wireshark and begin capturing network traffic.

 Filter the captured packets to isolate HTTP traffic.

Fig 7

Task Level Beginner): 11

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Screenshot 4 Analyzing Captured Packets

 Look for packets containing HTTP POST requests, which typically include
the login credentials within the request body.

 Open the identified packet containing the HTTP POST request.

 Examine the packet's contents, focusing on the request body to locate the
transmitted credentials.

 Identify the plaintext credentials submitted to the server.

Fig 8

Task Level Beginner): 12

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Additional Information:

Packet Analysis: Wireshark enables detailed analysis of captured packets,

allowing inspection of request and response headers, payload data, and
other metadata.

HTTP Protocol: In contrast to GET requests, which include parameters in

the URL, POST requests send data in the request body. This often includes
sensitive information like usernames and passwords.

Security Implications: Intercepting plaintext credentials underscores the

importance of securing sensitive data in transit. Implementing encryption
protocols like HTTPS helps protect against unauthorized access and data
interception.

Mitigation steps :
The vulnerabilities identified through the described security assessments on
the website http://testphp.vulnweb.com/ include:

 Port Scanning:

Firewall Configuration: Implement a robust firewall to block

unauthorized access to unnecessary ports.

Task Level Beginner): 13

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Port Filtering: Utilize port filtering to restrict access to only essential

services.

Regular Port Scans: Conduct regular port scans to detect and promptly
address any new or unexpected open ports.

 Directory Brute Forcing:

Directory Listing Configuration: Disable directory listing to prevent

enumeration of directories.

Strong Authentication: Implement strong authentication mechanisms

to limit access to sensitive directories.

Brute Force Protection: Implement mechanisms such as account

lockout or rate limiting to mitigate brute force attacks.

 Network Traffic Interception:

Encryption: Enforce encryption mechanisms such as HTTPS to protect

sensitive data during transit.

Data Masking: Implement data masking techniques to obscure

sensitive information from being exposed in network traffic.

Secure Authentication: Utilize secure authentication protocols (e.g.,

OAuth, JWT to prevent credential theft via network interception.

Security Headers: Utilize security headers like HSTS HTTP Strict

Transport Security) to enforce secure connections and prevent
downgrade attacks.

Task Level Beginner): 14

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Task Level (Intermediate):

BATCH : ShadowFox March B2 Cyber Security

Title:
Cybersecurity Tasks Report

Date:
23 March, 2024

Prepared By:
Vinay Sharma

Table of Content
S.No Content Page No

1 Title: Cybersecurity Tasks Report 1

2 Machine Information 2

3 Task 1 Decrypting Veracrypt File 39

Task 2 Finding Entry Point Address of Veracrypt

4 910
Executable

Task 3 Creating Metasploit Payload and Establishing

5 1119
Reverse Shell

6 Mitigation Strategies 20

7 Conclusion 20

LIST of Figures

Task Level Intermediate): 1

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

fig(122) NAME PAGE.NO

1 Hashcat Command 3

2 Hashcat Result 3

3 Veracrypt Installation 3

4 Veracrypt Add File 4

5 Veracrypt Mount File 4

6 Veracrypt Opened File 4

7 PE Explorer Installation and Veracrypt File 6

8 PE Explorer EntryPoint 6

11 Payload Creation with MSFvenom 8

12 Payload Transfer with Python Server 9

13 Metasploit Preparation 10

14 Metasploit Connection Setup 10

15 Metasploit Exploit Command 11

16 Payload Download from Webpage 11

17 Captured Reverse Shell 12

18 Basic Command Execution 12

19 Verification of Command Execution on Target 12

20 Directory Access on Target 13

Task Details:

1) Decrypting Veracrypt File

Objective: Decrypt a Veracrypt-encrypted file using a decoded password
provided in encoded.txt.

Tools Used:

Veracrypt

Text Editor

Task Level Intermediate): 2

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Approach:

 Obtain the encoded password from the encoded.txt file.

 Decode the password.

 Use the decoded password to unlock the Veracrypt file.

 Access the file and retrieve the secret code.



So let's crack the hash with the hash cat Hashcat is the best tool for the cracking
the hash and it is really too fast .

here we have the hash it seems like it use MD5 algo so move to the Hashcat ant
provide this hast in the form of text file

fig(1)

Here, we use Hashcat by calling the command ( hashcat -a 0 -m 0 task2.txt

/usr/share/worldists/rockyou.txt.gz ). The -a 0 option sets the mode to wordlist, and -

m 0 specifies the MD5 encryption algorithm for the hash. Following that, we use a

wordlist file, commonly known as rockyou.txt.

Task Level Intermediate): 3

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

fig(2)

In few minutes Hashcat has successfully cracked the password which is

password123

fig(3)

Task Level Intermediate): 4

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Here we have installed veracrypt successfully

fig(4)

Task Level Intermediate): 5

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Now, we are going to add the existing file, shadowfox veracrypt.

fig(5)

Afterward, we will mount the encrypted file to view its hidden content. However, it
will first require the password, which we have already cracked using Hashcat.

fig(6)

Task Level Intermediate): 6

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

And boom here we found the hidden text which is (never give up)

fig(7)

Task Level Intermediate): 7

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Findings:

Encoded password: 482c811da5d5b4bc6d497ffa98491e38

Decoded password: [password123

Secret code: [never giveup]

2) Finding Entry Point Address of Veracrypt Executable

Objective: Identify the entry point address of the Veracrypt executable using PE
Explorer tool.

Tools Used:

PE Explorer

Approach:

 Obtain the Veracrypt executable file.

 Use PE Explorer to analyze the executable and locate the entry point address.

 Provide the entry point address as the answer.

Task Level Intermediate): 8

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

We have successfully installed PE Explorer. Additionally, we have the VeraCrypt

setup exe file to locate the entry point.

fig(8)

opening the file in veracrypt and after few sec we found the entry point

fig(9)

Task Level Intermediate): 9

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

3) Creating Metasploit Payload and Establishing Reverse Shell

Objective: Create a payload using Metasploit and establish a reverse shell
connection from a Windows 10 target machine.

Tools Used:

Metasploit

msfvenom

Text Editor

Approach:
 Launch Metasploit and select the appropriate payload
( windows/meterpreter/reverse_tcp ).

 Configure the payload with the attacker's IP address and port.

 Generate the payload using msfvenom .

 Transfer the payload to the Windows 7 target machine.

 Set up the listener in Metasploit using the multi/handler module.

 Execute the payload on the target machine to establish a reverse shell

connection.

 Interact with the session to execute commands on the target system.

So here this is a attacker machine from here we are going to create a payload for
windows 7 and i am using kali machine because whatever too I need it is already
installed on it

fig(10)

Task Level Intermediate): 10

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

And this is my windows machine as from Ip you can note that both machine are in
same network

fig(11)

Task Level Intermediate): 11

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Let's now create a payload using MSFvenom, a popular tool for payload creation.
It offers a variety of payload types, even for Linux and Mac.

I've successfully created a payload with a size of 73802 bytes. The next step is to
transfer it to the server.

fig(12)

To transfer the payload GTA.exe) from a webpage, we will use Python's default
server running on port 8000.

fig(13)

Task Level Intermediate): 12

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Before proceeding, let's prepare our attacker machine to listen for the reverse
shell as the victim installs the payload. We'll accomplish this using the MSF
console Metasploit).

fig(14)

Task Level Intermediate): 13

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Now, we are going to establish a Meterpreter reverse_tcp connection. Although

we could use Netcat, we would need to make some adjustments. To keep things
simple, we're using Metasploit.

fig(15)

From the 'show option' command, we can view the settings for the exploit. Next,
we will listen on port 4444.

fig(16)

Task Level Intermediate): 14

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

so now just exploit it

fig(17)

We need to open the webpage using the attacker's IP because we are running the
HTTP server from there. Therefore, we must use the same IP and port set up on

Task Level Intermediate): 15

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

the attacker's machine. Due to a previous issue, I changed the port from 8000 to
8800.

We aim to download any content present on this webpage. As we have uploaded

the payload as GTA, download and run it.

fig(18)

here we can see we have captured the reverse shell of our windows machine lets
try some basic command to verify it

fig(19)

Task Level Intermediate): 16

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

fig(20)

now same thing lets try on our windows machine and verify the output of the
whoami command

fig(21)

Task Level Intermediate): 17

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

here we can grab the complete directory's of our windows machine

fig(22)

Findings:

Payload generated successfully.

Reverse shell connection established from Windows 10 target machine to

attacker's machine.

Task Level Intermediate): 18

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Able to execute commands on the target system through the Metasploit

session.

Mitigation:
Ensure strong and unique passwords are used to encrypt files with Veracrypt
to prevent unauthorized access.

Regularly update Veracrypt and other security tools to patch any

vulnerabilities.

Implement network segmentation and access controls to limit exposure to

potential attackers.

Educate users about the risks of opening executable files from untrusted
sources.

Conclusion:
The decryption process was successful, allowing access to the encrypted
Veracrypt file and retrieving the secret code.

The entry point address of the Veracrypt executable was identified using PE
Explorer.

A reverse shell connection was established successfully using Metasploit,

demonstrating the potential risk of exploitation if proper security measures are
not in place.

It is crucial to follow best practices in encryption, executable analysis, and

network security to protect sensitive information and mitigate the risk of
unauthorized access and exploitation.

Task Level Intermediate): 19

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

Task Level (Hard)

BATCH : ShadowFox March B2 Cyber Security

Title:
Cybersecurity Tasks Report

Date:
24 March, 2024

Prepared By:
Vinay Sharma

Table of Content
S.NO Content Page no

1 SQL Injection Vulnerability 311

2 Local File Inclusion 1214

LIST of Figures
Fig No Name Page no

116 SQLMAP 311

1718 LFI 1214

Executive Summary:
This report documents the findings of a security assessment conducted on the
website http://testphp.vulnweb.com/. The assessment identified significant
vulnerabilities, including SQL injection and Local File Inclusion LFI, which could
potentially compromise the confidentiality, integrity, and availability of the website

Task Level Hard) 1

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

and its data. This report outlines the vulnerabilities discovered, the methods used
for exploitation, and recommendations for remediation to enhance the security
posture of the website.

Findings:

1. SQL Injection Vulnerability:

Description: The website's artists.php page is vulnerable to SQL injection.

Exploitation: By appending a single quote ( ' ) to the artist parameter in the

URL, we triggered an SQL error, indicating the presence of an SQL injection
vulnerability.

Impact: This vulnerability could allow an attacker to extract sensitive data

from the database, modify or delete records, and potentially gain unauthorized
access to the system.

Risk Level: High

2. Local File Inclusion (LFI) Vulnerability:

Description: The website's include.php page is vulnerable to Local File
Inclusion LFI.

Exploitation: By manipulating the page parameter in the URL, we were able to

include arbitrary files from the server's file system.

Impact: This vulnerability could allow an attacker to view sensitive files,

execute arbitrary code, and compromise the server's security.

Risk Level: High

Exploitation:

SQL Injection:
 URL http://testphp.vulnweb.com/artists.php?artist=1'

 Result: Triggered an SQL error, indicating a potential SQL injection

vulnerability.

Task Level Hard) 2

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

 Exploitation: Further testing revealed the ability to extract data from the
database using SQL injection payloads.

Here looking out website manually I have found this directory which contain in
URL ‘1ʼ it seems like something will help to to find vulnerabilities

FIG1

Let's try to put anything in that parameter and let's see what's happen so here I
think I should put admin if there should any error it will show

FIG2

Task Level Hard) 3

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

So here my guess was absolutely right here we are getting error in that we are
able to see that it's saying something sql database so I think we should attack on
the basis of database so I will try to use sql map to pull out the vulnerabilities of
this website

FIG3

Task Level Hard) 4

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

And one thing more here I have also found the login web page where I think user
password are going to be stored in some kind of database so I think if we
elaborate the database we can get the user name and password

FIG4

So here as I said we are going to use sql map to find out the vulnerability on the
basis of some parameters where it has present so here I am using command like
sql map And -u represent that we are going to put url after putting the url target
website after that we are going to adding some crawl to find out a more deep and
deep so — crawl 2

FIG5

Task Level Hard) 5

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

So after some processing time the tool has found some websites where we can
perform an attack and also sql map as a automated tool so we do not need to do
many things as such manually as the automation it will save lot of time so here I
have found one url which is stored in my home As you can see here I have
highlighted it has created one folder as name result so lets see the url

FIG6

So here we got one url where I think we can perform in a square attack to find the
sum databases and tables so lets see what we get here

FIG7

Task Level Hard) 6

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

So as we know sql map is an automation tool we are going to specify the url after
that I am putting a command of current database to show the database as I don't
know nothing about this website so I am used to find the database as well as host
name of this website so lets see what we get in the result

FIG8

Year after some processing time we can see the database name which is acuart

FIG9

Task Level Hard) 7

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

So now we have the host name accuart or you may say the database accurate so
now we are going to find the How many tables are present in that particular
database

FIG10

So here we can see the eight tables are present in the database so there are many
but I think we are found something related to user so there is a user table where I
think we can get something precious for us

Task Level Hard) 8

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

FIG11

FIG12

So I was absolutely right about this here we found some emails and username and
password which are stored in the normal text usually we don't have to save the
things normally we have to keep it at hash or adding some salt and encrypting the
things so anyone else cannot see the things whatever we are saving out in the
database so let's try the username and password on the website it is true or not

Task Level Hard) 9

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

FIG13

So here I am putting the username and password as we got in the attack

FIG14

And boom here we're login in the website that we can see the details I like phone
number and many more

Task Level Hard) 10

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

FIG15

To finding the details I have noticed that sql map has doing brute force and it was
really worth able but it takes a few time to complete it and it successfully found
the details

FIG16

Task Level Hard) 11

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

So here we can also see the cart id and price of that particular product so this
should not happen in the sum regular website it will causeway many damages or
reputation damage

Local File Inclusion (LFI):

 URL http://testphp.vulnweb.com/showimage.php?file=../../etc/passwd

 Result: Successfully included the /etc/passwd file from the server's file system.

 Exploitation: Demonstrated the ability to read sensitive system files using LFI.

After sequel I have note that we have one more website that seems like it might be
present lfi which is also known as local file inclusion so here we can see the
details of the content which is saved on the server in the file format so let's try the
lfi it is too easy so I will keep it to simple to make the understand anyone

FIG17

So we are fetching the data from the website directly in our terminal from our curl
tool so after the file I am going back like we are doing in the machine changing the
directories so here I want to visit the etc password file so lets try and get the
output

FIG18

Task Level Hard) 12

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

So here it is successfully done and we are able to see the file of the server and it
might causeway many damage to the system or the organisation

Recommendations for Prevention:

 Input Validation and Sanitization: Implement strict input validation and
sanitization mechanisms to prevent SQL injection attacks. Use parameterized
queries or prepared statements to interact with the database securely.

 File Inclusion Controls: Validate and sanitize user input to prevent Local File
Inclusion vulnerabilities. Limit file inclusion to specific directories and avoid
including files based on user-supplied input.

 Security Headers: Implement security headers, such as Content Security

Policy CSP and XContent-Type-Options, to mitigate the risk of various web-
based attacks, including injection vulnerabilities.

 Regular Security Audits: Conduct regular security audits and vulnerability

assessments to identify and remediate potential security weaknesses
proactively.

 Security Training: Provide security awareness training to developers and

administrators to educate them about common vulnerabilities and best
practices for secure coding and web application development.

Task Level Hard) 13

Downloaded by Suthram Raghu (suthramraghu@gmail.com)

 lOMoARcPSD|54026425

 Patch Management: Keep software and frameworks up to date with the latest
security patches and updates to address known vulnerabilities and mitigate
emerging threats.

Conclusion:
The discovery of SQL injection and Local File Inclusion vulnerabilities in
http://testphp.vulnweb.com/ underscores the importance of robust security
measures in web application development. By addressing these vulnerabilities and
implementing proactive security measures, the website can enhance its resilience
against potential attacks and safeguard the confidentiality, integrity, and
availability of its data and resources.

Task Level Hard) 14

Downloaded by Suthram Raghu (suthramraghu@gmail.com)