Portswigger Academy on s4yhii's blog

Os Command Injection Labs

Fri, 10 Jun 2022 12:00:00 -0400

OS command injection allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.

OS command injection, simple case

This lab contains an OS command injection vulnerability in the product stock checker.

The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response.

Directory Traversal Labs

Tue, 10 May 2022 12:00:00 -0400

Also known as file path traversal allows to read arbitrary files on the servers. in some cases an attacker might be able to write arbitrary files on the server, allowing them to modify application data or behavior.

Reading arbitrary files via directory traversal

We can use the .. characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.

For example the url takes a filename parameter and returns the content of the file, the aplicaciones appends the requested filename to this base directort and uses an API to read the contents, so the application implements no defenses against directory traversal attacks,so an attacker can request the following URL to retrieve an arbitrary file from the server’s filesystem:

Broken Authentication

Tue, 15 Mar 2022 12:00:00 -0400

Authentication is the process of verifying the identity of a given user or client. In other words, it involves making sure that they really are who they claim to be, there are three authentication factors:

Something you know, such as password or security question, known as “knowledge factors”
Something you have, a physical object like a mobile phone or security token, known as “possession factors”
Something you are, for example biometrics or patterns of behavior, known as “inherence factors”

What is the difference between authentication and authorization? Authentication is the process of verifying that a user is who they claim to be, whereas authorization involves verifying whether a user is allowed to do something

Broken Authentication Labs

Tue, 15 Mar 2022 12:00:00 -0400

Username enumeration via different responses

With Burp running, investigate the login page and submit an invalid username and password.
In Burp, go to Proxy > HTTP history and find the POST /login request. Send this to Burp Intruder.
In Burp Intruder, go to the Positions tab. Make sure that the Sniper attack type is selected.
Click Clear § to remove any automatically assigned payload positions. Highlight the value of the username parameter and click Add § to set it as a payload position. This position will be indicated by two § symbols, for example: username=§invalid-username§. Leave the password as any static value for now.
On the Payloads tab, make sure that the Simple list payload type is selected.
Under Payload options, paste the list of candidate usernames. Finally, click Start attack. The attack will start in a new window.
When the attack is finished, on the Results tab, examine the Length column. You can click on the column header to sort the results. Notice that one of the entries is longer than the others. Compare the response to this payload with the other responses. Notice that other responses contain the message Invalid username, but this response says Incorrect password. Make a note of the username in the Payload column.
Close the attack and go back to the Positions tab. Click Clear, then change the username parameter to the username you just identified. Add a payload position to the password parameter. The result should look something like this: username=identified-user&password=§invalid-password§
On the Payloads tab, clear the list of usernames and replace it with the list of candidate passwords. Click Start attack.
When the attack is finished, look at the Status column. Notice that each request received a response with a 200 status code except for one, which got a 302 response. This suggests that the login attempt was successful - make a note of the password in the Payload column.
Log in using the username and password that you identified and access the user account page to solve the lab.

Username enumeration via subtly different responses

With Burp running, submit an invalid username and password. Send the POST /login request to Burp Intruder and add a payload position to the username parameter.
On the Payloads tab, make sure that the Simple list payload type is selected and add the list of candidate usernames.
On the Options tab, under Grep - Extract, click Add. In the dialog that appears, scroll down through the response until you find the error message Invalid username or password.. Use the mouse to highlight the text content of the message. The other settings will be automatically adjusted. Click OK and then start the attack.
When the attack is finished, notice that there is an additional column containing the error message you extracted. Sort the results using this column to notice that one of them is subtly different.
Look closer at this response and notice that it contains a typo in the error message instead of a full stop/period, there is a trailing space. Make a note of this username.
Close the attack and go back to the Positions tab. Insert the username you just identified and add a payload position to the password parameter: username=identified-user&password=§invalid-password§
On the Payloads tab, clear the list of usernames and replace it with the list of passwords. Start the attack.
When the attack is finished, notice that one of the requests received a 302 response. Make a note of this password.
Log in using the username and password that you identified and access the user account page to solve the lab.

Username enumeration via response timing

With Burp running, submit an invalid username and password, then send the POST /login request to Burp Repeater. Experiment with different usernames and passwords. Notice that your IP will be blocked if you make too many invalid login attempts.
Identify that the X-Forwarded-For header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection.
Continue experimenting with usernames and passwords. Pay particular attention to the response times. Notice that when the username is invalid, the response time is roughly the same. However, when you enter a valid username (your own), the response time is increased depending on the length of the password you entered.
Send this request to Burp Intruder and select the attack type to Pitchfork. Clear the default payload positions and add the X-Forwarded-For header.
Add payload positions for the X-Forwarded-For header and the username parameter. Set the password to a very long string of characters (about 100 characters should do it).
On the Payloads tab, select payload set 1. Select the Numbers payload type. Enter the range 1 - 100 and set the step to 1. Set the max fraction digits to 0. This will be used to spoof your IP.
Select payload set 2 and add the list of usernames. Start the attack.
When the attack finishes, at the top of the dialog, click Columns and select the Response received and Response completed options. These two columns are now displayed in the results table.
Notice that one of the response times was significantly longer than the others. Repeat this request a few times to make sure it consistently takes longer, then make a note of this username.
Create a new Burp Intruder attack for the same request. Add the X-Forwarded-For header again and add a payload position to it. Insert the username that you just identified and add a payload position to the password parameter.
On the Payloads tab, add the list of numbers in payload set 1 and add the list of passwords to payload set 2. Start the attack.
When the attack is finished, find the response with a 302 status. Make a note of this password.
Log in using the username and password that you identified and access the user account page to solve the lab.

Broken brute-force protection, IP block

With Burp running, investigate the login page. Observe that your IP is temporarily blocked if you submit 3 incorrect logins in a row. However, notice that you can reset the counter for the number of failed login attempts by logging in to your own account before this limit is reached.
Enter an invalid username and password, then send the POST /login request to Burp Intruder. Create a pitchfork attack with payload positions in both the username and password parameters.
On the Resource pool tab, add the attack to a resource pool with Maximum concurrent requests set to 1. By only sending one request at a time, you can ensure that your login attempts are sent to the server in the correct order.
On the Payloads tab, select payload set 1. Add a list of payloads that alternates between your username and carlos. Make sure that your username is first and that carlos is repeated at least 100 times.
Edit the list of candidate passwords and add your own password before each one. Make sure that your password is aligned with your username in the other list.
Add this list to payload set 2 and start the attack.
When the attack finishes, filter the results to hide responses with a 200 status code. Sort the remaining results by username. There should only be a single 302 response for requests with the username carlos. Make a note of the password from the Payload 2 column.
Log in to Carlos’s account using the password that you identified and access his account page to solve the lab.

Username enumeration via account lock

With Burp running, investigate the login page and submit an invalid username and password. Send the POST /login request to Burp Intruder.

Cross-site scripting (XSS)

Mon, 14 Feb 2022 12:00:00 -0400

Cross-site scripting known as XSS is a web vulnerability in which malicious scripts are injected int benign and trusted websites. XSS occur when an attacker send malicious code in any user input fields in a browser to a different end-user.

Mechanisms

In an XSS attack the attacker inject script in HTML code so you’ll have to know javascript and HTML syntax, wbe uses scripts to control client-side application logic and make the website interactive, for example this script generates Hello! pop-up on the web page:

SQL Injection

Tue, 25 Jan 2022 12:00:00 -0400

A SQL injection is an attack in which the attacker executes arbitrary SQL commands on an application’s database by supplying malicious input inserted into a SQL statement. This happens when the input used in SQL queries is incorrectly filtered or escaped and can lead to authentication bypass, sensitive data leaks, tampering of the database and RCE in some cases.

In-Band (classic) SQL Injection

Occurs when the attacker uses the same communication channel to both launch the attack and gather the result of the attack
- Retrieved data is presented directly in the web page
Easier to exploit than other categories of SQLi

Error-Based SQLi

Error bases SQLi is an in-band SQLi technique that forces the database to generate an error, giving the attacker information upon which to refine their injection

www.random.com/app.php?id='
#output
#You have an error in your SQL syntax, check the manual that corresponds to your MySQL server version...

Union-Based SQLi

Is an in-band SQLi technique that leverages the UNION SQL operator to combine the results of two queries into a single result set
Input:

# retrieving data from another table
http://www.random.com/app.php?id=’ UNION SELECT username, password FROM users; --

# update all passwords from a table with POST method
http://www.random.com/app.php?new_password="password12345';--"
query = UPDATE Users SET Password='password12345';-- WHERE Id = 2;

--- The WHERE clause, which specifies the criteria of the rows that should be updated, is commented out in this query. The database would update all rows in the table, and change all of the passwords in the Users table to password12345. The attacker can now log in as anyone by using that password

SQLi vuln where there is no actual transfer of data via the webapp
Just as dangerous as in-band SQLi
- Attacker be able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server
Takes longer to exploit than in-ban sql injection

Boolean-based SQLi

Uses boolean conditions to return a different result depending on whether the query returns a TRUE or FALSE result.

www.random.com/app.php?id=1
select title from product where id=1
#Payload 1 (false)
www.random.com/app.php?id=1 and 1=2
select title from product where id=1 and 1=2
#Payload 2 (true)
www.random.com/app.php?id=1 and 1=1
select title from product where id=1 and 1=1

User table:
Administrator / e3c3889ded99ej29dj9edjdje992
SUBSTRING(a,b,c): function that select a part of a string a: the string, b:the first posicion, c=how many chars
#Payload1
www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username ='Administrator'), 1, 1)='s'
#Query
select title from product where id=1 and SUBSTRING((SELECT Password FROM Users Where Username='Administrator'),1,1)='s'
#result: nothing is returned because is false

#Payload 2
www.random.com/app.php?id=1 and SUBSTRING((SELECT Password FROM Users Where Username='Administrator'),1,1)='e'
#Query
select title from product where id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username='Administrator'),1,1)='e'
#result: Returned true, the tile of product id 1 is returned bc "e" is the first character of the hashed pass

Relies in the database pausing for a specified amount of time, then returning the result, indicating a success SQL query execution
Ex: if the first character of the administrator’s hashed pass is an “a”, wait 10 seconds.

Out-of-band (OAST) SQLi

Consists of triggering an out-of-band network connection to a system that you control
- Not common, uses variety os protocols (DNS,HTTP)

'; exec master..xp_dirtree '//434934839493499.burpcollabolator.net/a'--

Second order SQLi

Second order SQLi happens when applications user input gets stored in the database, then retrieved and used unsafely in a SQL query. For example consider an app that register an user by specifying username and password, and the user submit the following request:

SQL Injection - Labs

Tue, 25 Jan 2022 12:00:00 -0400

Lab 1 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

We need to retrieve hidden data so we search query’s in the web where we can inject some sql injection payloads

We can see that the request is filtering the data by category, and we are asked to show the hidden elements, so we assume that there is a parameter that hides the elements.

We try the following payload that will show the elements of all categories and we will comment out the rest of the query so that it does not filter by hidden or visible elements:

Portswigger Academy on s4yhii's blog

Os Command Injection Labs

OS command injection, simple case

Directory Traversal Labs

Reading arbitrary files via directory traversal

Broken Authentication

Broken Authentication Labs

Username enumeration via different responses

Username enumeration via subtly different responses

Username enumeration via response timing

Broken brute-force protection, IP block

Username enumeration via account lock

Cross-site scripting (XSS)

Mechanisms

SQL Injection

In-Band (classic) SQL Injection

Error-Based SQLi

Union-Based SQLi

Inferential (Blind) SQL Injection

Boolean-based SQLi

Time-based Blind SQLi

Out-of-band (OAST) SQLi

Second order SQLi

SQL Injection - Labs

Lab 1 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Portswigger Academy on s4yhii's blog

Os Command Injection Labs

OS command injection, simple case

Directory Traversal Labs

Reading arbitrary files via directory traversal

Broken Authentication

Broken Authentication Labs

Vulnerabilities in password-based login

Username enumeration via different responses

Username enumeration via subtly different responses

Username enumeration via response timing

Broken brute-force protection, IP block

Username enumeration via account lock

Cross-site scripting (XSS)

Mechanisms

SQL Injection

In-Band (classic) SQL Injection

Error-Based SQLi

Union-Based SQLi

Inferential (Blind) SQL Injection

Boolean-based SQLi

Time-based Blind SQLi

Out-of-band (OAST) SQLi

Second order SQLi

SQL Injection - Labs

Lab 1 - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data