- Web Dissection using LiLith 0.6a by Michael Hendrickx Foreword: --------- "LiLith" is a tool I wrote to *improve* security of web applications by pointing out application based weaknesses, so please do not abuse it. I am aware that this program can be used by individuals with malicious intents to break security , but the purpose of developing this tool was to improve application security. Always remember to request and obtain authorization prior to auditing a web aplication. The author cannot be held responsible for any damage or losses caused by this program. It has been thoroughly tested with positive results on different platforms, in different environments. If somehow this tool would have caused any inconvenience, though I am not responsible for it, I do apologize for it, and please let me know if I can change anything to prevent any of such instances to occur again. Basics: ------- LiLith is a program that verifies the security of a web application. As a security consultant , I often see web applications that contain security flaws. A web application is a complex entity and cannot be fully checked with "just any tool", therefor I recommend you to manually verify any results. How the entire "scanning" process works is different from so called "CGI scanners", such as nikto[1] and n-stealth[2]. This program will surf to a website and crawls through all the links, just as a user would to. On any possible input field, such as text boxes, page id's, ... LiLith will attempt to inject any characters that might have a special meaning for any underlying technology, such as SQL. Getting started: ---------------- LiLith runs as a Perl script, and doesn't need any additional privileges or programs, except for some Perl modules, which can be installed using CPAN[3], if not installed by default. Upon execution with any other parameters or arguments, LiLith spurts out following usage message: ---- > ./lilith.pl LiLith v0.6a : http forms scanner/injector by michael@code.ae (http://michael.code.ae/) usage: ./lilith.pl [options] with following options: -d : (or file) where to start [default: /] -a : agent to use (-a 0 for list) ["LiLith v0.6a"] -u : basic authentication credentials -p : proxy server (proxy:port) -U : proxy authentication credentials -T : wait seconds between requests [0s] -f : if defined, extensive logging is done to -r : attempt recursive crawling/probing (very time consuming!) -c : ignore cookies presented by -g : try more poison, even when error is found -s : do not attempt to guess server version -S : do not strip host and directory from output -I : don't try to get directory listings -i : don't inject any poison -A : print all return codes (lots of data) -v : verbosity ---- This screen presents a user with all possible options that can be used using LiLith. A merely detailed description of each option can be found in the readme file but the most commonly used ones are discussed in this text. Since options are for finetuning and thus mandatory, a "quick and dirty" scan can be performed by just giving the target URL as an argument. Note that the address of the site you would like to scan needs to be the last argument on the command like. All else fails. An example: ./lilith.pl -v www.target.com is a valid syntax, whereby: ./lilith.pl www.target.com -a will be mis-interpret, and you'll end up scanning "http://-a". In the example here, a fake site was set up (being www.target.com), thus remember that you should always request and obtain permission to audit a web application. A quick and dirty scan, without any finetuning is shown below: ---- > ./lilith.pl www.target.com LiLith v0.6a : http forms scanner/injector by michael@code.ae (http://michael.code.ae/) + target: http://www.target.com + directory: / + started: Fri Jun 17 22:13:22 2005 + server: Microsoft-IIS/5.0 [e] /login.asp gave HTTP:500 with "'" in username +--[!] SQL injection: /login.asp (username = "'") [e] /pages/ can be browsed LiLith v0.6a completed. 2 hyperlinks were followed, 1 error found. ---- Hereby a user know that the /login.asp page on this server is vulnerable to SQL injection, yet it never hurts to manually check these results. This vulnerability happens because of insufficient user input checking and thus passes on any user input data to a lower layer, in this case an SQL database server. Furthermore, the directory "pages" can be browsed, which can lead to information disclosure. This was a quick scan of the target web application. It doesn't tell the structure of the website or nothing. To have a more "analytical" view of the target site, we can issue the verbosity function, through "-v". Verbosity will give us a structure of the website, telling us any
and tags on the target page. This can be seen in the following output: ---- > ./lilith.pl -v www.target.com LiLith v0.6a : http forms scanner/injector by michael@code.ae (http://michael.code.ae/) + target: http://www.target.com + directory: / + started: Fri Jun 17 22:19:13 2005 + server: Microsoft-IIS/5.0 [i] / +-[i] found 1 form: +--[i] 0 : POST - /login.asp +-[i] found 3 inputs: +--[i] text : username ("") +--[i] password : password ("") +--[i] submit : ("login") +--[!] SQL injection: /login.asp (username = "'") [i] /pages/about.asp +-[i] found 0 forms. [i] Looking for indexable (browsable) directories: +-> checking 2 directories. +--[d] 200: http://www.target.com/ +--[d] 200: http://www.target.com/pages/ [e] /pages/ can be browsed LiLith v0.6a completed. 2 hyperlinks were followed, 1 error found. ---- With this output, we can see what LiLith actually "looks" at in order to perform any SQL injection and the like. Upon verifying the results we can see indeed that the "login.asp" page contains following code, edited for clarity and brevity's sake:
By further analysing the HTML code, LiLith sees that a hyperlink points to following file: "pages/about.asp", which can be seen in the HTML code as well: about us By storing this information, filenames are cut out and two directories are gathered: - / - /pages/ Upon the successful retrieval of information that looks like an index of the targeted directory, LiLith will pose this as a mis-configuration, since an attacker can possibly find hidden files or directories in the gathered directories. To not be left in the dark, and have an idea of which requests LiLith is performing, the -A option can be enabled, which will print all requests and their return codes if processed. ---- > ./lilith.pl -A www.target.com LiLith v0.6a : http forms scanner/injector by michael@code.ae (http://michael.code.ae/) + target: http://www.target.com + directory: / + started: Fri Jun 17 22:32:45 2005 [r] GET / [r] HEAD / [r] GET //banner1201.jpg + server: Microsoft-IIS/5.0 [r] GET / [r] POST /login.asp [e] /login.asp gave HTTP:500 with "'" in username [R] /login.asp gave HTTP:500 with "'" in username +--[!] SQL injection: /login.asp (username = "'") [r] GET /pages/about.asp [r] GET / [r] GET /pages/ [e] /pages/ can be browsed LiLith v0.6a completed. 2 hyperlinks were followed, 1 error found. ---- The three requests in the beginning is to determine the server version: [r] GET / [r] HEAD / [r] GET //banner1201.jpg A GET request, HEAD request and a GET request for a probably nonexisting file, a server will often give which software is being used, though this can be masqueraded. LiLith however is server independent and does not care much about which server software is being used, since application errors can be found on any platform. This server querying can be turned of using the -s option. Full address reporting: To ease any manual verification and to be able to copy and paste any URL straight into a browser, LiLith can be set to report the full address, using the -S switch. ---- > ./lilith.pl -S www.target.com LiLith v0.6a : http forms scanner/injector by michael@code.ae (http://michael.code.ae/) + target: http://www.target.com + directory: / + started: Fri Jun 17 22:52:05 2005 + server: Microsoft-IIS/5.0 [e] http://www.target.com/login.asp gave HTTP:500 with "'" in username +--[!] SQL injection: http://www.target.com/login.asp (username = "'") [e] http://www.target.com/pages/ can be browsed LiLith v0.6a completed. 2 hyperlinks were followed, 1 error found. ---- Port / Dir parsing: ------------------- If an application is stored in a certain directory, and optionally maybe accessible over an other port, LiLith can be set to start at a certain directory. It has been developed in such a way that it won't follow any external links, else you'll be spidering the entire internet. If a port and/or directory is mentioned in the target , LiLith parses it automatically and sets its correct starting point. An alternative way of doing this is by specifying the directory using the -d option. ---- > ./lilith.pl -v 10.6.30.3:8080/corpbank LiLith v0.6a : http forms scanner/injector by michael@code.ae (http://michael.code.ae/) + target: http://10.6.30.3:8080 + directory: /corpbank + started: Fri Jun 17 22:59:25 2005 + server: Apache Coyote/1.0 [i] / +-[i] found 0 forms. [i] /login.jsp +-[i] found 1 form: +--[i] 0 : POST - /AuthServlet +-[i] found 5 inputs: +--[i] text : username ("") +--[i] password : password ("") +--[i] checkbox : rememberMe ("") +--[i] hidden : picode ("") +--[i] submit : submit ("Log in") +--[!] SQL injection: /AuthServlet (username = "'") ... ---- In copy & pasting, please make sure you enter the starting directory as well, since the given pages or paths -without the S option- are relative to the starting path. Agent masquerading: ------------------- By default, LiLith sends it's own banner as a user agent, this makes the analysis of a heavily utilised web application easier. If however for any reason, this data should be masqueraded to come from an ordinary web user, then the -a option can be used to change the agent used. Normally, if the -A option is not used, LiLith appears in log files as something similar as following line: 2005-06-17 10.44.0.12 - 10.44.20.83 80 GET /pages/ - 200 LiLith+v0.6a Which makes analysis easier using tools like "grep". LiLith however has a small predefined "list" of user agents, that can be requested using following command: ---- > ./lilith.pl -a 0 LiLith v0.6a : http forms scanner/injector by michael@code.ae (http://michael.code.ae/) Available agents: + 1: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031027 + 2: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) + 3: Lynx/2.8.4rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7d + 4: curl/7.12.1 (i686-pc-linux-gnu) libcurl 7.12.0 (OpenSSL 0.9.7d) + default: LiLith v0.6a ---- If following command is executed; > ./lilith.pl -a 2 www.target.com then the logfile of the target server shows following output: 2005-06-17 10.44.0.12 - 10.44.20.83 80 GET /pages/ - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) Further: -------- LiLith can be customized in different ways, but as mentioned before; it is recommended to manually verify any results. Web applications can be complex, and bugs might exist that automated tools such as LiLith cannot find. If you have any questions, comments or suggestions, please forward them to me. I can be reached at michael@code.ae. ------- References: [1] nikto - can be found at www.cirt.net [2] n-stealth - can be found at www.n-stalker.com [3] CPAN - www.perl.org