The information or data which should not be disclose
publicly we can consider them as sensitive or confidential data. The sensitive
data exposer, the name itself suggests the meaning of the vulnerability. When
an application is not secure enough to protect its data a hacker can steal
sensitive information like Account details, credit card info or passwords.
The sensitivity factor always depends on the application
type and the information it is collecting from us at the end point. For
example, an online shopping site always keep the credit card details and
personal info from the user.
A banking application stores the user personal
identity proofs, bank account number, credit or debit card details, insurance
details and many more. Similarly, a health care application always keep on
storing the user’s health information like blood pressure, diabetes, heart beat
rates along with the personal information.
From an application point of view server credentials, user
access privileges, architecture information, configuration file paths and
database access are also considerable as a confidential information and these
can be easily accessible by a non-privileged user if proper security policies
are not implanted.
In this blog we will see how we can get access to the sensitive
information of a website using burpsuit.
Let’s begin!!
Open the mutillidae vulnerable web application using the
below link
By seeing the URL the value of page attribute says currently
we are on which page. Our objective is to fuzz the page value and check if we
can find any sensitive page inside the webserver.
Now open your burpsuit tool and make sure the proxy
intercept is on. If you want to know how to setup burpsuit with your local
proxy please read this blog. Now reload the webpage to get the request info in
burpsuit.
In the GET method it is clearly seen the request is going
for home.php inside the page attribute. Now I will give some random value after
inside the page attribute to compare the response from both the legitimate and
non-legitimate page request.
For this we will send both the legitimate (page=home.php)
and non-legitimate (page=home1234.php) page request to repeater tab by right
click on the window and select send to Repeater.
After that come to repeater tab and click on the Go button
to view the response from both the legitimate and non-legitimate page request.
home.php
home1234.php
For compare both the response further we will send them to compare
tab.
Right click on both the response window > select Send to
Compare.
Then come to compare tab and select the items and click on
words to compare what exactly the word difference between both of the pages.
After
that on popup window will appear and allow you to compare both the pages words
as side by side. Basically the page which we had requested as home1234.php
returned Validation Error: 404 - Page Not Found value, the only diffrence with
the home.php.
Our
next objective is to fuzz the page attribute value for requesting the
confidential pages from the server.
Come
back to proxy tab and send the home.php page request to intruder tab
Right
click on the window > Select send to Intruder
Now
come to the Position tab to select the position for attack. By default it will
be selected all the possible postitions where we can trigger the attack but
first we need to clear all the positions and Add only the postion we want.
Let
the attack type as Sniper mode and then come to payload section to load the
possible word list.
Under
Payload Options click on load > select the word list > click on open
After
that come to Grep – Match section under Options tab to filter out all the
unmatched pages as compare to the wordlist.
Come
to the Grep-Match section under Options tab> Click on Clear to clear the
default word list > Type “Validation Error: 404 - Page Not Found” inside Enter a new item field > Click on
Add.
We
are done with the configuration now, let’s start the attack.
The
attack will take some time depend upon the burpsuit version you are using. I am
using free community edition so it will take longer time than
expected.
From
the following results we can detect the
available pages with unchecked results under the 404-Page not found tab and others have rtured
the page not found output.
Attack
has been finished. Now its time to retrieve the sensitive data.
Double
click on any available pages on the the attack window > Come to Response tab
> Now come to Render tab to see the real time page output.
Congratulations!!
You have successfully get the PHP configuration file as output. If you have any
further query or suggesstion on the same topic please feel free to comment
below. Happy hacking!!
0 comments:
Post a Comment