{"id":3121,"date":"2023-10-17T13:37:50","date_gmt":"2023-10-17T11:37:50","guid":{"rendered":"https:\/\/www.dsecbypass.com\/?p=3121"},"modified":"2024-09-13T15:37:32","modified_gmt":"2024-09-13T13:37:32","slug":"webdev-websites-pentest","status":"publish","type":"post","link":"https:\/\/www.dsecbypass.com\/en\/webdev-websites-pentest\/","title":{"rendered":"WebDev websites pentest"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.22.2″ _module_preset=”default” custom_padding=”||||false|false” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2023\/10\/pentest-webdev-hfsql-blog.png” alt=”WebDev and HFSQL security audit” title_text=”WebDev and HFSQL pentest” align=”center” _builder_version=”4.22.2″ _module_preset=”default” background_color=”RGBA(255,255,255,0)” width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

This article aims to share the results of our experience of penetration tests carried out on websites built with WebDev and the HFSQL database. It is written for pentesters and security researchers who wish to study the security of these technologies, but also for curious developers.<\/p>\n

It is important to emphasize that WebDev allows you to create secure web applications, but like all frameworks, it gives developers enough flexibility to introduce vulnerabilities.<\/p>\n

We will see in particular the possibilities offered by HFSQL in the event of SQL injections, how to authenticate on an accessible HFSQL service, as well as the replication of a local WebDev environment to study its security.<\/p>\n

Note:<\/span><\/strong> the illustration image was made with an AI, it is a comical reference to PC SOFT visuals which generally contain<\/a> people who are not in cold countries.<\/p>\n

[\/et_pb_text][et_pb_text module_id=”tamper” _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

WinDev, WebDev, HFSQL, WLangage<\/h2>\n

Before getting to the heart of the matter, a few definitions are in order.<\/p>\n

First, WebDev != WebDav, isn’t it Nolan \ud83d\ude42<\/p>\n

WinDev<\/strong>: WinDev is a software engineering workshop (AGL) published by the company PC SOFT<\/a>, the first version was created in 1993. This software allows you to design and develop applications in all areas. WinDev uses its own programming language, WLanguage<\/strong>, a simple, powerful language that is very quick to learn.<\/p>\n

WebDev<\/strong>: WebDev is a web application development environment. It includes a code editor, visual design interface, pre-built components, and a built-in database. In addition, it offers easy deployment features to make web applications quickly accessible online. WebDev is popular, especially in France, with developers looking to create complex and powerful web applications, while benefiting from an intuitive user interface and rapid development features.<\/p>\n

HFSQL<\/strong>: HFSQL (HyperFileSQL) is positioned as a relational database management system, offering advanced features for storing, organizing and retrieving data in a structured manner. In addition, HFSQL offers the possibility of using WLanguage<\/strong>, which offers advanced, easy-to-use and powerful functions, which reinforces its versatility and development capabilities. These two components, although distinct, can collaborate synergistically in the development of robust and secure applications.<\/p>\n

[\/et_pb_text][et_pb_text module_id=”postprocess” _builder_version=”4.22.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Pentest of a WebDev application<\/h2>\n

Penetration tests on a WebDev and HFSQL web application are no different from those carried out on more widespread technologies: the vulnerabilities of the OWASP TOP10 can be encountered and the methodology remains that of a classic web pentest.<\/p>\n

The application is most generally deployed on a Windows environment with an IIS web server, so adapt your wordlists in case of path traversal!<\/p>\n

This article deals with two specificities which are not covered by the current tools available to pentesters: the exploitation of an HFSQL injection<\/strong> and authentication on the HFSQL service<\/strong> (most often on the tcp\/4900 port).<\/p>\n

\n

[\/et_pb_text][et_pb_text module_id=”postprocess” _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Authenticate on HFSQL<\/h2>\n

It is common for the HFSQL DBMS port to be open on the Internet: WinDev thick clients may require access to this data or the database is hosted in an infrastructure different from the WebDev application. In any case, it is a dangerous practice: it is recommended to never leave the database service open on the Internet and to restrict its access (by whitelisting IP addresses, by VPN, or others).<\/p>\n

There are no easy-to-use tools to test the validity of an account on an open HFSQL service. Indeed, this requires the use of a specific ODBC driver, which is difficult to integrate into tools like Metasploit or Hydra (from a technological but also legal point of view).<\/p>\n

The solution proposed here is the use of a Windows system, with the installation of the ODBC driver and the creation of a simple PowerShell script using the latter.<\/p>\n

The first step is to download and install the ODBC driver: https:\/\/pcsoft.fr\/st\/telec\/modules-communs-28\/wx28_94s.htm<\/a>.<\/p>\n

\"\"<\/p>\n

Download the executable for Windows and install it.<\/p>\n

You can verify its correct installation with the following PowerShell command:<\/p>\n

Get-OdbcDriver | Where-Object Name -like \"HFSQL\"<\/pre>\n
\"\"<\/p>\n
You can then simply interact with the driver using PowerShell. The following script allows you to test the connection to a remote HFSQL database using the default administrator account<\/a> which is admin<\/strong> without password<\/strong>.<\/p>\n
DSecBypass pentesters have made your work easier by using a built-in database, accessible by the HFSQL admin user, which allows you to execute SQL queries without necessarily knowing the name of the application databases.<\/p>\n
\n