20155222 Lu Zijie Experiment Nine Web security basics

Lab Nine web Security fundamentals

Today is not much BB, open webgoat is to do well

• 1. Simple String SQL injection
  
  You can see that this experiment shows that
  The following table allows users to view their credit card numbers. Try inserting an SQL string to display all credit card numbers. ”
  The following shows the SQL statements used in the background are
  SELECT * FROM user_data WHERE last_name = ‘Your Name‘
  Since our aim is to show the records of all credit cards, we would think that the expression in the back of the select * from User_data where is always true, so we can enter ‘ or ‘1‘=‘1 , and thus form a statement SELECT * FROM user_data WHERE last_name = ‘‘ or ‘1‘=‘1‘ , because ‘1‘ =‘1‘ for eternity, last_name = ‘‘ or ‘1‘=‘1‘ it For eternity, so this statement is equivalent to SELECT * FROM showing all records of the User_data table
  

• 2. Command-line Injection
  This simulation is a Web page can be based on your choice to display a limited number of text files content.
  
  See this question when I was ignorant force, this even an input box is not, I injected ah, so I had to read the answer, and then I understand the meaning of the problem, these text files are placed in the server system, when you choose one and click the View button, the front end will send a command back, for example, here is/bin/sh, -c, cat "/root/luzijie20155222/.extract/webapps/WebGoat/plugin_extracted/plugin/CommandInjection/resources/SQLInjection.html"To get the content of this text file, that is, the command that was sent in the past will be executed in the server's system, then we can intercept the packet and modify the command to achieve the purpose we want.
  To enable Burpsuite to intercept packets, first set up the agent for the Firefox browser
  
  
  
  Why is 8081, because 8080 was webgoat used. Then open Burpsuite.
  First, set the
  
  This place tick, if not hit may be because the port is occupied on the point next to edit the port to try. Then click this to start the Intercept
  
  Choose a text file, for example, choose the first one, then click View, this time the page will not have any reaction, because the HTTP packet was Bursuite intercepted
  
  This is the requested request package sent by the captured browser, we clicked on the action send to repeater
  
  Then select Repeater
  
  Repeater, as the name implies, allows us to resend the package, and we can also modify the package
  
  For example here we see the passed parameters Accesscontrolmatrix.help, according to the answer, we add in the back" & netstat -an & ipconfig
  
  Click Go in the top left to send, go to Pikachu
  
  And then failed, from the reponse on the right we can see the execution statement/bin/sh, -c, cat "/root/luzijie20155222/.extract/webapps/WebGoat/plugin_extracted/plugin/CommandInjection/resources/AccessControlMatrix.html" & netstat -an & ipconfig"The return code is 2, and if executed correctly, the return code because it is 0, helpless, had to analyze this command,/bin/sh -c + 命令is to execute this command with the command line,cat+文件名is to display the contents of this file,netstat -anShow all connected ports and use numbers, ipconfig to display network information, but ipconfig should be Windows commands, Linux should use Ifconfig, and finally a"There's no match, so let's try adding one at the end.", go once more
  
  Embarrassed to finally succeed, the return code is 0, right-click Show response in Browser,
  
  You can see that the information we want is returned (because the server's system is its own system, so don't try it easilyrm /*and other commands)

• 3.sql injection (numeric type)
  
  The simulation of this is a Web page can be based on the region of your choice to show its weather conditions, but only four regions to choose from, you can see the region has a corresponding region number, the goal is to show all areas of the weather information. And the background execution of the query code has been shown SELECT * FROM weather_data WHERE station = 101 , then we can add or 1=1, the result is really successful.
  

• 4. Inject the log file
  
  At first thought the meaning of this problem is to have no legal account of the case through SQL injection to successfully login, but all failed (in fact, will be ' or ' 1 ' = ' 1, ' or 1=1# these several. ), had to look at the answer, looked at a good time to combine the information on the Internet to understand the meaning of this problem is when you do a login, regardless of success or failure, will be recorded in the log file, our goal is to add such a record in the log, such as "admin" has succeeded into Logging in, and does not necessarily require us to be able to log on successfully, through the answer can know when we enter Smith%0d%0aLogin Succeeded for username: admin , the log will be more than a record
  
  Looks like two records, because%0D%0A will be escaped to enter, then we add this record what use pinch, for example, when we attack an account name admin, when the password is wrong, will appear login failed for username:admin such a log record , the log administrator sees, will be alerted, suspected of being a guess key, such as attacks, but if after the subsequent injection of a login succeeded for Username:admin records (in fact, is not really a legitimate landing), The log administrator will assume that the previous failure login is the account owner's own error operation, of course, can also inject other information to interfere with the log administrator's reading, and even, we can inject a JS code, the log administrator to view the logs with a browser, it will be executed, here will not expand.

• 5.xpath Injection
  
  The purpose of this problem is to get all the user information by injecting, referring to the answer and the online information, understand the meaning of the question.
  Some websites store user information in an XML file, like this
  
  The XML format is more generic and more portable than the database in which it is stored. Disadvantage an attacker can manipulate all of the information in an entire XML file by injecting, whereas in a database, an attacker can sometimes only get information about a table or a query under limited permissions.
  XPath is a language that can find information in XML, such as the previous table, and the XPath syntax to navigate to the user node of loginid= ' abc ' is/users/user[loginID/text()=‘abc‘], which means that the user node satisfies the condition loginid= ' abc ' under the Locating path/users/, inside the brackets is the expression, used to make the filter condition, more grammar knowledge see the XPath of the Institute,
  See the answer to know, in the background will execute the following code to query the node
  String expression = "/employees/employee[loginID/text()=‘" + username + "‘ and passwd/text()=‘" + password + "‘]";
  Where username and password are the strings we enter, if the username and corresponding password are correct, XPath can locate the employee node in/employees/under the expression in brackets, Login succeeds and can get other information under the node such as salary salary, otherwise the logon fails. The idea of our attack is to let the expression in brackets be the value of eternity, so that XPath locates all the employee nodes under/employees/, and we can get all the information under them.
  loginID/text()=‘" + username + "‘ and passwd/text()=‘" + password + ", now the question is left how to make this expression forever, the answer is the user name inputSmith‘ or 1=1 or ‘a‘=‘a, the random expression of the cipher becomesloginID/text()=‘Smith‘ or 1=1 or ‘a‘=‘a‘ and passwd/text()=‘password‘], the backstage is explaining this expression.( loginID/text()=‘Smith‘ or 1=1 ) OR ( ‘a‘=‘a‘ and passwd/text()=‘password‘ )So( loginID/text()=‘Smith‘ or 1=1 )And( ‘a‘=‘a‘ and passwd/text()=‘password‘ )As long as there is a true for the eternal, and the formerloginID/text()=‘Smith‘And1=1In1=1For eternity, so the whole expression is forever, so the key is this.1=1, the other three expressions are anything, like this.lueluelue‘ or 1=1 or ‘a‘=‘bare no problem, or do not have the answer to the method, with our familiar‘ or ‘1‘=‘1Yes, but the user name and password must be entered.
  

• 6. Stored XSS attacks
  
  
  In short is to send a post is the JS code, so that all users open will execute this JS code, detailed principles see my previous blog.

• 7. Reflex XSS Attack
  
  
  In short, the site will immediately echo the information you just entered, you can insert a section of JS code, of course, only valid for yourself.

• 8.csrf
  
  Similar to the just-in-memory XSS attack, imagine a scenario where user a landed on a bank website, then the bank has authenticated his identity and put the authentication information in a cookie, and at the same time opened the post, executed a JS code, The function is to send a GET request to the bank website to transfer 5000 yuan to the attacker's account, with the identity authentication information in the cookie, and the bank website trusts the operation.

• 9.CSRF Prompt By-Pass
  The following is referenced from the CSDN blog

  Like CSRF, your goal is to send a message to the newsgroup containing the following malicious request: Transfer first, then request prompt confirmation, URL points to screen and menu parameters of the CSRF course, additional parameters "transferfunds=4000" and " Transferfunds=confirm ", you can copy the course parameters from the right to create a formatted URL:" Attack? Screen=xxx&menu=yyy&transferfunds=zzz ", no matter who receives this email, happens to authenticate at that time, will transfer their funds, when you think this attack was successful, refresh the page, You will find the green check box on the left menu.

  In the title input: CSRF Prompt by-pass Attack; in message input:

  <iframe    src="attack?Screen=280&menu=900&transferFunds=5000"    id="myFrame" frameborder="1" marginwidth="0"    marginheight="0" width="800" scrolling=yes height="300"    onload="document.getElementById(‘frame2‘).src=‘attack?Screen=280&menu=900&transferFunds=CONFIRM‘;"></iframe> <iframe    id="frame2" frameborder="1" marginwidth="0"    marginheight="0" width="800" scrolling=yes height="300"></iframe>

• 10.CSRF Token By-Pass
  The following is referenced from the CSDN blog

  Your goal is to send a malicious request to the newsgroup to transfer funds. In order to successfully complete, you need to obtain a valid request token. The page that renders the money transfer form contains a valid request token. The URL of the transfer funds page is the "attack" servlet with the "screen" and "menu" Query parameters for this course, as well as an additional parameter "Transferfunds=main". Load this page, read tokens, append tokens to the Transferfunds parameter in a forged request. When you think the attack is successful, refresh the page and you will find a green check box on the left menu.

  In title input: CSRF Token By-Pass Attack
  Code constructed in the message input:
  ```
  

<iframe src= "attack? Screen=273&menu=900&transferfunds=main "
Onload= "readFrame1 ();"
Id= "Frame1" frameborder= "1" marginwidth= "0"
marginheight= "0" width= "Scrolling=yes height=" >

```

(Because of the rush to do the exemption, the last two experiments just experience, not fully understand, and so have time to have a good experience)

20155222 Lu Zijie Experiment Nine Web security basics