Lab1 : exploitation Badstore

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure.  

(http://www.badstore.net/)

prepare Lab.

- Virtual Box to run Lab1

- Mantra web Browser

- Owasp Zap to web proxie vunerabelity assisment

Run Lab1 on VirtualBox and cek IP, use ifconfig and we get IP lab1 192.168.56.101, 

we can use IP to scan informatian gathering in ZenMap

 

Operating System is Linux 2.4.x, port open 80 for web, 443 and 3306 for MySql. couse port 80 opened we can access web using browser by type IP on URL, we use Mantra web Browser. Before that run owasp zap,

set foxyproxy to localhost, 

make sure we use proxy 172.0.0.1 and port 8080 on mantra web..

I have tired more than 3 practice and restart mantra web and owasp zap an then choosed menus on badstore.net,, but owasp zap did not cacth information from badstore. huft
oke..
get information from /robots.txt

 we get information user-agent structure directory
/bacup, /cgi-bin, /suplier, /upload
type on url http://192.168.56.101/upload

type on url http://192.168.56.101/supplier/

 we get a directory accounts and four accounts as supplier.

1. Cross Site Scripting

 

try to Cross site scripting use <script>alert("TEST");</script> on textarea gusetbox command and klik "Add Entry", we will eccounter allret "ATTACTTT".