ABOUT TRACK
Get hands-on experience in exploiting the most critical security risks to web applications.
Here is the list of the challenges:
| Name of the challenge | Security Risks |
|---|---|
| looking glass | Command Injection |
| sanitize | SQL Injection |
| baby auth | Cross Site Request Forgery (CSRF) |
| baby nginxatsu | Data Integrity Failures |
| baby WAFfles order | XML External Entity Injection |
| baby todo or not todo | Insecure direct object references (IDOR) |
| baby BoneChewerCon | Improper error handling |
| Full Stack Conf | Cross-Site Scripting (XSS) |
| baby website rick | Python Pickle Exploitation |
| baby breaking grad | PHP Static-Eval Exploitation |
looking glass
On this first challenge we start with a webpage that allow us to use the ping command.
Introduction to Command Injection
Command injection is a security vulnerability that arises when an application does not properly validate user inputs before executing them as commands. Attackers can exploit this vulnerability to inject malicious commands, leading to unauthorized execution of arbitrary code.
Exploit
We’ll leverage the semicolon (;) to inject additional commands and exploit the system.
1 | ping 127.0.0.1;id |
Sometimes, the server’s response might be delayed due to multiple ICMP requests. To counter this, the attacker can utilize the -c flag to limit the number of ICMP requests sent:
1 | ping -c 1 127.0.0.1;id |
The -c 1 argument instructs the ping command to send only one ICMP request.
Now ou are able to replace the command id by the command ls to display the location of the flag and cat to display it.
sanitize
Here is the web page we need to operate:
Unveiling SQL Injection
SQL Injection is a potent attack vector that exploits insecurely built SQL queries. Attackers can manipulate input fields to execute unauthorized SQL commands, potentially exposing sensitive data or even gaining unauthorized access to databases.
Exploit
In the provided payload, I’ve used the username field to craft a SQL Injection. The payload is admin' ORDER BY 1--. Let’s break down how it works:
admin': This input is provided to the SQL query as the username. The single quote (') serves to close the existing SQL query string.ORDER BY 1: In SQL, theORDER BYclause is used to sort query results. Here, you’re asking the database to order the results by the first column.--: In SQL, the double hyphen (--) signifies the start of a comment. Everything after--is treated as a comment and ignored by the database.
baby auth
Our journey begins with a login page. Despite possessing valid credentials, I am required to register. admin1 will be my username and password.
Upon logging into this account, a message is displayed to us:You are not an admin.
Let’s examine the cookies and determine if a CSRF exploit is feasible.
The cookie is encoded in base64. Decoding it reveals the content: {“username”:”admin1”}.
Exploit
We need to encode it with the value “admin” instead of “admin1,” then replace the default cookie value with the new one.
Now you can grab the flag.