# X-Lab 五崧捷運 * 共筆連結 https://pse.is/4c4z6r https://github.com/OWASP/wstg/releases/download/v4.2/wstg-v4.2.pdf https://owasp.org/www-project-top-ten/ https://owasp.org/Top10/zh_TW/ OWASP ZAP ## SQL Injection ![](https://hackmd.io/_uploads/ryCnnIA39.png) ![](https://hackmd.io/_uploads/HkBbAUAnq.png) ![](https://hackmd.io/_uploads/BynDlDRn5.png) ![](https://hackmd.io/_uploads/ryV0rPA25.png) ![](https://hackmd.io/_uploads/rJGy8vCh5.png) ![](https://hackmd.io/_uploads/SkdyLDCnc.png) ![](https://hackmd.io/_uploads/BJ6J8PR2c.png) select password from challenge_users where userid = 'Larry' and password = '' or 1=1 -- ~~';~~ # DVWA 練習機器 default userpass: admin/password http://3.114.249.231:81 ---> 五崧 明忠 http://3.114.249.231:82 ---> 五崧 詩虔 http://3.114.249.231:83 --->Eric http://3.114.249.231:84 ---> sheng-yueh http://3.114.249.231:85 ---> 五崧 志光 http://3.114.249.231:86---> 五崧 詩虔 ![](https://hackmd.io/_uploads/ryJ-9wCnq.png) ## XSS payload cheat sheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet ## X-Lab演練平台 http://211.20.24.108:8080/ www.abc.com.tw XXX.com -> DNS www.xxx.com -> service.XXX.com -> mail.XXX.com -> x-t3am.cc-> http://service.x-t3am.cc/ ->3.114.249.231 user01 cpZM6Htz —> 五崧 明忠 http://3.114.249.231:8080 user02 GnrPx2Bn -> 五崧 詩虔 http://3.114.249.231:8081 user03 RZ2T22At -> 五崧 ERIC http://3.114.249.231:8082 user04 wqkbAJWz -> 五崧 志光 http://3.114.249.231:8083