Tagged with: Boa extra TAC reverses personal head actor effective implementation
Webgoat 7.1 Combat Guide-Next
Injection Flawscommand Injection (command injection)
For any one parameter-driven website, command injection attacks represent a serious threat. The method behind the attack is easy to learn, resulting in a range of damage ranging from a considerable range to the entire system. Despite these risks, the number of systems vulnerable to this type of attack on the internet is unbelievable.
Not only is it an easily instigated threat, it is also a threat that has a little common sense and vision that can be completely stopped. This course will show students several examples of parameter injection.
Cleaning all of your input data is always a good practice, especially for data that will be used for OS commands, scripts, and database queries.
Try to inject a command into the operating system.
Using a proxy intercept request, add a script after HelpFile: "Basicauthentication.help;ipconfig" or "Basicauthentication.help;netstat-an" (here if you use & instead of ";", the ipconfig or netstat will be treated as a parameter, for unspecified reasons), the double quotation mark after the command cannot be discarded.
Note: To achieve the above functions, you need to make some changes to the source code, Location: Org.owasp.webgoat.plugin.CommandInjection, the source of the script command can be used to limit the use of the actual operating system to be modified, I am using the Windows operating system, will list< string> Valid_windows_cmds = lists.newarraylist ("dir", "ls", "netstat-a", "ipconfig"), modified to list<string> valid_ Windows_cmds = Lists.newarraylist ("dir", "ls", "Netstat-an", "ipconfig");
Add 136 rows of Filedata = EXEC (S, "cmd.exe/c type \" "+ New File (Safedir, HelpFile). GetPath () +" \ ""); modified to Filedata = EXEC (S, "cmd.e XE/C type \ "" + safedir.getpath () + "\" "+" & "+ finalcom), save the source file and repackage it into a jar file. The execution succeeds as shown in:
Select the Help file and click View:
The agent intercepts the request and modifies the contents of the helpfile=:
To view/etc/passwd content:
Numeric SQL Injection (digital injection)
For any database-driven Web site, SQL injection attacks represent a serious threat. The method behind the attack is easy to learn, resulting in a range of damage ranging from a considerable range to the entire system. Despite these risks, the number of systems vulnerable to this type of attack on the internet is unbelievable.
Not only is it an easily instigated threat, it is also a threat that has a little common sense and vision that can be completely stopped. This course will show students several examples of parameter injection.
Cleaning all of your input data is always a good practice, especially for data that will be used for OS commands, scripts, and database queries, even if the SQL injection threat is blocked in some way.
Goal:
The following form allows one user to view weather data. Try injecting the SQL string so that all the weather data is displayed.
Using a proxy intercept request, modify the parameter station=101 to station=101 or 1 = 1, and then submit the request as shown:
Log Spoofing (logging spoofing)
The gray area represents the information logged on the Web server log;
The goal is to enable users such as admin to successfully log in;
Raise the log file attack by increasing the script.
In the username input: "Smith%0d%0alogin succeeded for username admin", enter the password casually, click Login as shown:
XPATH Injection
The following form allows employees to view all their personal information that includes salaries. Your account number is mike/test123. Your goal is to try to view data from other employees.
1. XPATH injection is similar to SQL injection. Creates an XPATH query from an unauthenticated input. Below you can see how to build an XPATH query. The code for this page is as follows:
String dir = lessonutil.getlessondirectory (s, this) + "/xml/" + "/employeesdata.xml";
File D = new file (dir);
Xpathfactory factory = Xpathfactory.newinstance ();
XPath XPath = Factory.newxpath ();
InputSource InputSource = new InputSource (new FileInputStream (d));
String expression = "/employees/employee[loginid/text () = '" +username+ "' and passwd/text () = '" +Password+ "']";
nodes = (NodeList) xpath.evaluate (expression, InputSource, xpathconstants.nodeset);
2. Inject Smith ' or 1=1 or ' a ' = ' A in the username, which will show you the first user to log into the system. The password is a required field and can be entered arbitrarily.
3, the following is obtained by the server:
expression = "/employees/employee[loginid/text () = ' Smith ' or 1=1 or ' a ' = ' a ' and passwd/text () = ' xxx ']"
3. The following are the results of the server resolution:
expression = "/employees/employee[(loginid/text () = ' Smith ' or 1=1) or (' a ' = ' a ' and passwd/text () = ' xxx ')]
String SQL Injection (strings injected)
For any database-driven Web site, SQL injection attacks represent a serious threat. The method behind the attack is easy to learn, resulting in a range of damage ranging from a considerable range to the entire system. Despite these risks, the number of systems vulnerable to this type of attack on the internet is unbelievable.
Not only is it an easily instigated threat, it is also a threat that has a little common sense and vision that can be completely stopped. This course will show students several examples of parameter injection.
Cleaning all of your input data is always a good practice, especially for data that will be used for OS commands, scripts, and database queries, even if the SQL injection threat is blocked in some way.
Goal:
The following form allows users to browse their credit card numbers. Try to inject the SQL string so that all credit card numbers are displayed. Try using the user "Smith".
In the username, enter: Smith ' or ' 1 ' = ' 1, click on the query as follows:
Lab:sql Injection
Stage 1:string SQL Injection
Bypass authentication with string SQL injection. Use SQL injection to sign in with the Boss ("Neville") without needing the correct password. An introduction to verifying Neville can be viewed, and all other features are available (including query, create, and delete).
Using a proxy intercept request, modify password= ' or ' 1 ' = ' 1, and then submit the request as shown:
Stage 2:parameterized Query #1 (FIX: Parametric query)
Use a parameterized query to block SQL injection
Implement a fix to prevent SQL injection issues for login page fields. Repeat Phase 1. Verify that the attack no longer takes effect.
To modify the login method of Org.owasp.webgoat.plugin.sqlinjection.LoginSqlInjection.java, string query = "SELECT * FROM Employee WHERE UserID = "+ userid +" and password = ' "+ Password +" ' "; Modify to String query =" SELECT * FROM employee WHERE userId =? and password =? ";
Add the following code inside the try block and comment out the associated code:
Connection Connection = websession.getconnection (s);
PreparedStatement PS = (preparedstatement) connection.preparestatement (query, Resultset.type_scroll_insensitive, RESULTSET.CONCUR_READ_ONLY);
Ps.setstring (1,userid);
Ps.setstring (2,password);
ResultSet answer_results = Ps.executequery ();
After completing the above code, package, rerun, use owasp Zap intercept request, modify password= ' or ' 1 ' = ' 1, and then submit the request as shown:
Stage 3:numeric SQL Injection
Bypass authentication to execute SQL injection.
As a normal employee "Larry", use SQL injection to view a description of the boss ("Neville") in the parameters of the view feature (from the Employee List page).
Using a proxy intercept request, modify the employee_id parameter to: 101 or 1=1 ORDER by salary Desc, as shown in:
Stage 4:parameterized Query #2 (FIX: Parametric query)
Use parameterized queries to block SQL injection.
Implement a fix to prevent SQL injection issues for login page fields. Repeat Phase 3. Verify that the attack no longer takes effect.
Modified: Org.owasp.webgoat.plugin.sqlinjection.ViewProfileSqlInjection.java
Query string = "Select Employee.*"
+ "from employee,ownership WHERE Employee.userid = ownership.employee_id and"
+ "ownership.employer_id =" + UserId + "and ownership.employee_id =" + Subjectuserid;
Modify to String query = "Select Employee.*"
+ "from employee,ownership WHERE Employee.userid = ownership.employee_id and"
+ "ownership.employer_id =?" and ownership.employee_id =? ";
Add in the try block and write off the relevant code:
Connection Connection = websession.getconnection (s);
PreparedStatement PS = (preparedstatement) connection.preparestatement (query, Resultset.type_scroll_insensitive, RESULTSET.CONCUR_READ_ONLY);
Ps.setstring (1,userid);
Ps.setstring (2,subjectuserid);
ResultSet answer_results = Ps.executequery ();
As shown in the following:
Database backdoors (behind databases)
101;update employee set salary=1234567 where userid=101
101;create Trigger Mybackdoor
Before insert on employee foreach row begin update
Employee setemail= ' [email protected] ' where Userid=new.userid
Blind Numeric SQL Injection (digital blind)
101 and ((SELECT pin from pins wherecc_number= ' 1111222233334444′) > 1000);
Always find the number in dichotomy is 2364
Blind string SQL Injection (string blind)
101 and (SUBSTRING (SELECT name from Pinswhere cc_number= ' 4321432143214321′), 1, 1) < ' H ');
Second character: Change to 2, and so on.
101 and (SUBSTRING (SELECT name from Pinswhere cc_number= ' 4321432143214321′), 2, 1) < ' H ');
The answer is Jill.
Denial of services (denial of service attack) Zipbomb (compressed packet bombs)
The server only accepts zip files, extracts them after uploading, deletes them with them, and provides a temporary storage of up to two megabytes to handle all requests, attempts to perform a Dos attack, consumes all temporary storage with one request
Simply put, upload a compressed package that is below 20M and crash the server
Denial of Service from multiple Logins
Get all accounts first
Three Total pages open
Insecure Communication (unsecured communication) Insecure login (unsafe login)
See the password using the debugger
The second phase changes to HTTPS
Insecure Storage (Insecure storage) Encoding Basics (encryption basis)
Malicious execution (malicious execution) malicious file execution (malicious files execution)
<HTML><% java.io.File file= newjava.io.File("/.extract/webapps/WebGoat/mfe_target/webgoat.txt");file.createNewFile();%></HTML>
Save As JSP upload
http://192.168.8.89:8080/WebGoat/uploads/1.jsp, then refresh the browser to
Parameter tampering (parameter modification) Bypass HTML Field Restrictions
Enable the form, and then use the Burpsuit grab bag, modify the contents of the 6 parameters arbitrarily
XML External Entity (XXE)
<?xml version="1.0"?> <!DOCTYPE Header [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><searchForm> <from>&xxe;</from></searchForm>
Exploit Hidden field (using hidden fields)
Simply put, the value of the front end is changed.
Exploit unchecked Email
This table is an example of a customer support page. Try using the following form:
1) Send malicious script to website admin.
2) Send malicious script from owasp to "friends".
Bypass Client Side JavaScript Validation
The site performs client and server-side validation. For this exercise, your job is to break client-side validation and send unwanted site input. You must break all 7 validators at the same time.
Session Management Flawshijack A session (click Hijack)
Reference Video: Https://www.youtube.com/watch?v=FA5FjjV4L7Y
The weakid in the Cookie is the session ID. We know that if a client sends a request to the WEB server without a session ID, the server will be reborn into a new session ID and returned to the client via a Cookie .
Send packet to Sequencer option
Because the burpsuite of the fuzz is not the location of cookies, it does not show the effect, the specific can refer to the video.
spoof an authentication cookie (spoofing authentication cookie)
Webgoat:authcookie=65432ubphcfx
Aspect:authcookie=65432udfqtb
Alice User's Cookie is 65432,ECILAÈFDJMB
Parsing cookie,64532 is immutable, and the subsequent string is going through the reversal string and then pushing back a
Session fixation (sessions fixed)
Add &sid=45 after the site
Follow the prompts to enter your user name and password
Fourth step, open 192.168.8.89:8080/webgoat/start.mvc#attack/2007866518/1800&sid=45 directly
Web servicescreate a SOAP Request
The Web service communicates by using SOAP requests. These requests are submitted to the Web service, attempting to perform the functions defined in the Web Service Definition language (WSDL). Let's take a look at some of the contents of the WSDL file. View the Web Service Description Language (WSDL) file for webgoat.
General objectives:
Try to connect to the WSDL using a browser or Web service tool. The URL of the Web service is: Http://localhost/WebGoat/services/SoapRequest You can typically add a WSDL to the end of a Web service request to see the WSDL. You must have access to 2 operations to pass this course.
Intercepts the request and invokes any method by sending a valid SOAP request to a valid account.
You must access at least 2 methods to pass the course.
Soap was parsed using Burpsuit's Wsdler plug-in, but the test found that it was not possible to complete the course, and the idea was correct, but it might not be the right way to validate it.
WSDL Scanning
Modify parameter Contents
Web Service SAX Injection
The Web service communicates by using SOAP requests. These requests are submitted to the Web service to try to perform the functions defined in the Web Service Definition language (WSDL) file.
General objectives:
Some web interfaces use Web services in the background. If the front-end relies on the Web service for all input validation, the XML sent by the Web interface may be compromised.
In this exercise, you try to change the password for a user other than 101.
Enter the following in the input box
<id xsi:type=‘xsd:int‘>102</id><password xsi:type=‘xsd:string‘>[email protected]$$w0rd?</password>
Web Service SQL Injection
Using the Burpsuit plugin Wsdler
Webgoat 7.1 Combat Guide-Next