27.Other-notable-applications

1. Methodology over Specific Tools

  • The core focus is on teaching a methodology that can be applied to various applications, not just the ones explicitly covered.

2. Comprehensive Enumeration

  • Thorough network enumeration and application discovery are crucial for identifying potential attack vectors.

  • Tools like EyeWitness create visual representations of web applications and help identify multiple systems.

3. Adaptability and Persistence

  • Penetration testers must be adaptable and persistent, as they will encounter many unknown applications.

  • Digging through scan data and filtering out noise can reveal hidden vulnerabilities.

4. Abuse of Built-in Functionality

  • Many applications have built-in features that can be abused for malicious purposes.

  • Default credentials remain a common vulnerability.

5. Understanding Application Logic

  • Understanding how an application works is essential to discovering vulnerabilities.

Notable Applications and Vulnerabilities

1. Axis2

  • Similar to Tomcat, it can be vulnerable to weak/default credentials.

  • Remote Code Execution (RCE) can be achieved by uploading a webshell as an AAR file.

2. WebSphere

  • Historically vulnerable to various exploits.

  • Default credentials (system:manager) can lead to RCE via WAR file deployment.

3. Elasticsearch

  • Known for past vulnerabilities.

  • Older, forgotten installations can still be vulnerable.

4. Zabbix

  • Vulnerable to SQL injection, authentication bypass, XSS, LDAP password disclosure, and RCE.

  • Its API can also be abused for RCE.

5. Nagios

  • Vulnerable to RCE, privilege escalation, SQL injection, code injection, and XSS.

  • Default credentials (nagiosadmin:PASSW0RD) are common.

6. WebLogic

  • Java EE application server with numerous CVEs, including unauthenticated RCE exploits.

7. Wikis/Intranets (MediaWiki, SharePoint, etc.)

  • Vulnerable to known exploits and document repository issues.

  • Search functionalities can lead to credential disclosure.

8. DotNetNuke (DNN)

  • Vulnerable to authentication bypass, directory traversal, XSS, file upload bypass, and arbitrary file download.

9. vCenter

  • Used to manage ESXi instances.

  • Vulnerable to weak credentials and exploits like Apache Struts 2 RCE and OVA file upload vulnerabilities.

  • Windows vCenter appliances are vulnerable to privilege escalation.

Key Takeaways

  • Default credentials are a significant vulnerability across many applications.

  • Built-in application functionality can often be abused.

  • A thorough methodology and an adaptable mindset are essential for successful penetration testing.

  • Always check for known CVEs.

  • Always check for default credentials.

  • Understanding application logic is a key factor in finding vulnerabilities.

Previous26.Attacking-applications-connecting-to-servicesNext8. Closing Out

Last updated