 Do you like to do a Pico application of the vulnerabilities that people have found? So how do I do this? So you do a posture P, a space or, space one is one, and a sine colon followed by a pound sign. And anything you would like to believe. So what am I expecting? What should it do? Just log U1. What should it do? Not log U1? Yeah. Not log U1. What does it do? You have to first use a database that logs U1. All right. So then how do I get it to log me in as a specific user? You put in, instead of, like, four of my U1s, I think you put in, like, ID, NID equals whatever ID is in the database, like, ID equals one, right? Probably did one, so let's do, like, two. Two, yeah. Then it's going to colon it out. Yeah. Would that not work? That should work. No, the other one. Oh, the other one. It didn't. Oh, OK. I just wanted to say, as the first user, what if that's not the user who targeted a specific user ID? Got it. Or one equals one, and ID equals. What about this is redundant? Or one equals one, because that's going to be true, right? Or in something. So we can hear that. We can say, or ID equals any user we want in the system? What else? There is a directory traversal. Oh, if you run a verb suite, or a zap, or whatever, they can give you some directories that they scan. I'm going to go find them. Prove me that's actually one of the one trust those rules. Well, I mean, I actually went through the files, which shouldn't be a concern. What else? Is somebody else having more belly? There's a process grouping vulnerability in either the search bar or the guest bar. Cool. So how do I prove that it's a process grouping vulnerability? So you type in the script, so it's a care script, or it's a gas script, the other query. Type in alert, and parentheses, put in the string high, then put ending parentheses, sign colon, then ending script tag, or search. I should have popped up something. It's very good. Browser's too smart for you. Yeah. I need to have those headers. I'm going to create this before the headers existed. There's a HTTP post. Brick is always to look at where the script is, right? So you can see that picked. So the way you want to check for this, right, is to put something like foo bar in here for search. View page source, look for foo bar. And you can see it's in two places. It's in here, the input field. And it's also used here as part of this. So then we just saw if we put in our script tags. You can actually see here in this value, it looks like it's actually being voted correctly. But this one here is not escaped. And so we have cross-experiment vulnerability here. There is a remote OS command injection on slash pass check.php. I used that proxy and found that. You should be using tools and you should be doing it. Really? Yes. I know the tools can find them. Not some of them. But you need to be able to know how to search for those. One cross-excript thing, one C1 action. On the guest book. So in the comment field, you'll put anything for name. But in the comment field, you can put any script tag you want in the account JavaScript. I did a while loop. In the comment tab. So I did a while loop. And I was able to do a bunch of alerts. You can do anything you want. And it will be able to database it. So what's the key difference between these two vulnerabilities? Anyone who loads the comment page is going to see the alert because it's in the page. It's static. What was the factor? So yeah, let's look at this page, right? So how do I actually have to execute this cross-excript thing? You have to type it into the search bar. Type it into the search bar and then what's going to happen with it? It displays back to you what you typed in doing the... How does it get there? It's a request on the page. So what does the form say? Type the request. Click the button and what's going to happen. You click the button and it calls a get on that field. How do I put any into the application? In the screen. In the search bar. You enter in the search form. No. It's going to put whatever you searched into. It's going to execute something. It's going to execute something. I agree, that's correct. It gets put into pictures that are tagged as blank but it has the script there and interprets it as a script that just runs. How does it get there? Because the code does it. Where does it read it from? I click this button. What exactly happens? An HTTP is sent from how to do that. Yes, for what? The get. Get is a type of HTTP request. What do I get it? A result based on those. Based on what you entered in the search. How does it know that? Parts of it. Parts of what? What you entered. Where does it get it from? The entry once on that screen. It's right in front of it. The fooball. Where do you see fooball? What do you mean? That's a heading, right? That was the previous entry. Look at the screen. There's the screen but where's In the board. Where's that going to be? Inside the URL. Every time you display this, it'll be on the URL. Whatever you answered that. When I click this, exactly what happens is that we can see this in part. I am making this is the raw HTTP request, right? There's the getment. That's why we looked at exactly what the protocol says that does look like. We're sending a get request to slash pictures slash search.php and then a question mark for the URL parameters and query equals the thing that we put in and x equals 27 and y equals So now, what is the code doing when it generates this HTML response? When it generates a response. So here's the response. Here's the HTML response. Here's the raw response, the whole HTTP response. But the content type of what it returns is text.html. So here's the HTML that it returns. So what did it do with our input? Which side of the time does this little discussion sound like? It thinks it's at the code or part of the website. It's in the values. Yeah. For query. It's going to be here. So what does the code look like on the server side to do this? What do you mean the code? PHP code that's executed. Something that executes this PHP code. Yeah. Maybe back. I know, but you can see the output. So how does it have to be written based on what you just... Oh, it has to be decoded. Long HTML entities that's output in the HTML on the server side code. From our query. Yes. From the URL, from the parameter that is sent in this URL. Right? There's nothing to do with forms or anything at this point. Just reading from everything this HTTP request that we sent which is this query parameter. So taking that and building up this page everything else seems like it's constant except for this. And then where else is it being used? The HTTP... That's our tag right there. So it has a display. But at that point it's displaying a script. Well, here it's just... This is the way you've got to separate out what they return. What is the web application returning to us versus how does our browser interpret it? The important thing is that we are just getting back a bunch of bytes. This is the raw bytes and it's a little bit muddled, right? Burp is parsing this as HTML so it's coloring coding it. But really all our browser sees is all these bytes. And then it parses it. And when it's parsing this H2 element it says, oh, there's an H2 tag and inside here there's a script tag and so that's why our script tag executes. And we see this alert box with XSS up here. Fundamentally, where does this input this... where the name comes from JavaScript that was not intended by the developer executes on this page, right? I don't think there's any... There's no other JavaScript on this page. So the developers of this web application did not want any JavaScript code to be executed on this page but because they are outputting this user input completely unsanitized we can execute any kind of JavaScript we want. So now if I wanted to make... but doing it to myself doesn't really do anything, right? Because I'm just making a pop-up screen appear on my browser window and he sent it away to someone else, right? Yes. So what do I have to send them? Well, what you entered. It'll already be filled out. I have to send them this link. I have to trick you to click on it and then the JavaScript that's inside this query parameter will be executed inside your browser context. So if they were... if they never output it like in there as tagged as whatever, right? Then this wouldn't be a vulnerability. Correct. Because it would only be well... because we can actually see just like... so we have this value here, right? So we can see that it's escaping less-than-symbols, greater-than-symbols. It's not escaping single-quote. And what do we need to break out of this parameter of this attribute of this HTML tag? What's the character that's enclosing us in right now? Yeah, the double-quote. Let's see what it does here. So we can see that, okay. We can say now conclude it is most likely safe from SQL index or cross-execution because there's no way if we cannot include a double-quote character here, there's no way we can break out of these value double-quote and start executing something else. Wait, but why would we need to do that if it's just cross-executing? We need to start... we need to get to executing JavaScript. Yeah, but why do you need to break out, though? Because we saw that if they're outputting it back to us... If it was not in here. Oh, okay. If it's not present here we need to try to inject. This is the first step we try to do is use double-quote. But... So what is that one page... What is that one spot visible? Like on the page. Oh, and there. This is how this fills in the default value. The value attribute of the input tag. So that wasn't satisfied with that also. We don't need practice characters, but we'll look at those kind of later. So what we're trying to do is find a way to confuse the browser between what is data and what is script. Yes. We're trying to make it execute our code, right? And we know that anything in the URL string comes from the attacker. Therefore, this JavaScript code is from the attacker. So then now let's look at the guestbook. So what did I do? So now we've refreshed the guestbook. We'll see this cross-site scripting. And then if we go look at where it is in the guestbook... Not that I don't want to. I just don't know how. There's an accessibility thing. In the app settings... It's under accessibility. There's a way to turn on the zoom. It's usually a shortcut that you have to name. Oh, you mean under the Mac? Yeah, under the Aster. Yeah, the zoom. Oh, just go to preferences. I'm not from this guy. That's something else. I'm like, system references. That's it. Yeah, I have no problem. Do that. Okay. I think it's only zooming on your end. Oh, you guys can see that? Oh, it was me. I was like, whoa. Wow. Weird. That's okay. Oh, you're not directly plugged in. You're using the wireless thing? Yeah, I'm not sure. It's a good try. Okay. Let's look at the same thing. So what was the request that we sent to the guestbook? Yeah. Okay, Luke. No, no. What is this request? I just made a request. Post. Post. This is a post request? It's a guest request. I made it just now. Hit refresh. Oh, when you hit refresh, I thought you meant the submit button. I got a request to slash guestbook.php. We sent her a cookie, but that's about it. That's pretty much the only operation that we sent. But what do we get back? We get back. We get back. The comments by Foo, which has the text script alert one. So where did this come from? Did it come from my request? It was loaded on the page. It has a comment? Yes. Where did it come from? Yes. So we can't go back to the post where I made this. We can see that I made a post request to the guestbook, and I passed in name, Foo, and comment, equal to script tag. So then, what do I need to do to get this JavaScript code to execute in your browser? Just give them this URL, and then any time they come to this page, it's automatically loaded. Yes. So this is the key difference between cross-site scripting vulnerabilities. So this is, we have two different ways of categorizing them. One is reflected like this, which essentially means it's using input from the user's browser directly in the page. The key thing is I can get you to click on this exact link. If I can't trick you to click on this link, I can use the JavaScript code to execute in your browsers and violate the same order of policy. Here is the stored cross-site scripting. So here, I can do the injection once and it stays in here forever, presumably because it's part of the database. So we think about how is this likely written. Well, there's probably a comments table somewhere which is storing all the comments of all the users over time, and then when I refresh this page, it's grabbing all the user names on this table by looping through all of them. So this is much more dangerous, right? Because now, any JavaScript, anybody who visits this page, whether I send you the link or not, is going to be executing this JavaScript code. Any other vulnerabilities? The SQL one? Where? So have you tried to log in? So password checker, whenever I would put in a semi-colon, it would just break the server entirely. It wasn't ever able to make it like execute the command on the command line, but... That's still a vulnerability. Yeah. Not very cool. Take down the whole server? I don't know, that's pretty cool. Are we allowed to use spiders? I would say yes. You can use a spider to spider the site, but I'm not using automated tools at this point in your career because you want to know exactly how to test for all these things. If you use spiders, you can use flash pictures and then you get those slash pictures, slash dss as well. And then here you can see the directory. So what does it tell you, though? What files are there? Can you go up there? Well, you can see PHP code, right? What if it comes to PHP code? If you click on one of those, does it open? I think you're gonna have that. Could download it? That's why I find out what happened when I clicked on these links. Because it's keeping track of everything that I'm doing. So let's see. We went to slash pictures, slash conflicts. So the response was what? What's a 303 response code? Redirection. Yes, redirection. It's telling us to go somewhere else. Which header is it gonna use to tell us where to go? How do we know where to go? Where is it redirecting us to? Location. The location header. So it's redirecting us to slash user slash login. So what does this likely mean? And does it send us any PHP code in its response? Sorry, PHP code in its response. I don't know. I don't believe this. It just sent back text HTML. Well, it sent back a header so you can see the content length is zero. So nothing. It sends us back nothing. No body. Can we maybe try to see the actual code? What should I do? I tried downloading. I just downloaded the HTML. We tried to download it. The same thing as the new page source. That's great. You can save the code for your computer and then see what it does. Yeah, so how? Same thing as? But it saves the log. The log. The login thing. But we can say what's the name of the page source. It's still hypertext. Cool. So what is it doing when I'm trying to access this? What is it doing? Why is it redirecting me? Well, because you have a login problem. Exactly. It's access control, right? It's checking and saying hey, you haven't logged in yet, so go to the login page. So if you log in, it will redirect you. And one thing to do would be checking all of them. Maybe. So here's the search page actually redirecting me to error.php, which is interesting. There's a recent. I can go to the recent.php, and of course, the response looks like HTML, right, with no PHP code. Purchase, log in, high quality login. Now I can log in. The response is 404, not found. So there's nothing there? Nothing there. No content. Zero. How about a page? Here it takes me somewhere. Yeah, so why not? Where does it take me to? Oh, sorry. It's not, we're not getting the code, but there is an exploit on this page. We're wanting to get the server side code right now, is that the goal? We're exploring that. Can you FTP? So what is this? Why do we see this? We see it's above pages. This directory. Oh, that's where they're stored, right? These are stored there. Why do we see this? Because we navigated to a directory and not an actual file. And it's horrible default behavior of Apache. So from Apache to be useful, I can't remember what it's called, but it's usually enabled by default. It's usually enabled on all Apache default installs and then disable it. So if you go to a directory that does not have an index.html and index.php or another index page, it displays this which shows you the files. But then, when Apache, when I click on one of these, so now I'm trying to access a PHP file that's doing what? What's Apache doing? What was that? Kind of. That's the output that we get, but how do we get that? It executes the PHP code and outputs whatever it outputs as HTML. Exactly. So this is exactly what's happening here. We're making a request to Apache. Here, Apache is saying, oh, there exists in the web root. There does exist a pictures directory and I have this stupid option so here's everything in this directory. But, Apache has an option that says anything that ends in .php executed as if it's a PHP script. So it executes those and shows us the output. One thing that could be really interesting about this is if there's any hidden files or anything that starts with a dot or there's anything that does not end with .php, that could be or if there's any temporary files in here. So VIM, is it VIM that does the tilde at the end or is that Emacs by default? One of them uses, like, temporary files with the tilde. That's VIM, Emacs is the pound. So yeah, there's different editor temporary files so you can sometimes find temporary files on here. But fundamentally, this gives us some information but not really the information that we're looking for. So we'll execute anything that ends in .php. So I'm going to give you the vulnerability. That's it, you found 3 out of 16. Well, the check pass page. There's something. I don't want to do something. I want to do the vulnerability. So there's, like, multiple of the same possibilities. Did you already try the one I guess was? Yep. Do you guess both search, login? What about upload? What's on upload? Yeah. You could copy that alert code and make this I don't know which field it's in. So just spam because I've seen the source code. What about the search bar? I mean, I've seen the HTML source. So let's think about this. So what's that going to happen when I click this search button? To where? Probably another page. Probably? How can you find out where? We can do the source. We can see the form is going to go to the picture slash search dot php and get parameter with the name of the query. So I'm saying vulnerability is the last one. Exactly. So even though the search bar appears on multiple pages, you wouldn't say that this page the form doesn't exist on the form, it exists on the code behind the form. Well, what about any of those fields? Sure. You guys spent a while last week looking at it and tell me which one's vulnerable. Spent some time going through the slides. So it doesn't do a query for this field to run through. It doesn't appear on that. Okay. So here's a question. The the title's vulnerable on that one to a cross-site scripting I can't remember what the stored kind is called. Yeah, so you can put script. Is it just stored? It's a very fancy name. Why would title work and not other fields? Because title is getting, I'll look at the HTML in a minute when the view page gets called. Is uploading it to the other and then Well, so the way this works is you pick your picture and then when you hit upload it's going to submit and it's going to save it in the database but then it's going to pull up the view page and the view page has a vulnerability in it where it's displaying that field and then it'll display the title. And in the title the pizza guy's late. I know of all. But we're thankful to him. Right? Oh. Darn it. Darn it. You're the one who did this. You told me it was vulnerable. It looked like it was. I didn't get that far. So I do know we can put any file and we'll just upload it. So we got the other the password check thing. Any program we put up through this. Once you can execute any program on the server you can download whatever code you want from wherever and execute it. So yeah, that could help. Maybe they restricted access. You write your own PHP program and upload it. The same stored one is if you make a comment to a photo. I just did it. Yeah, but he did high. I didn't. Create it. We need to reload the page. Which is does. So this is again, a phone. Mm-hmm. You mean for XSS or for the XSS? Yeah. Because when you upload the file it'll store some of the database. I'll explore. Mm-hmm. Did you confirm the shelter data? Mm-hmm. Oh, did you like this at work? Yeah, I didn't. Oh, and it works? Yeah. Okay. I was going to say try and execute arbitrary PHP instead because that's what it's written in. PHP? Just write PHP code. I don't know how to write PHP code, but write PHP code. The internet. You think that it'll execute PHP if it has an image? Sure. What's the extension of this? .thp. I don't know, but if you upload an image and then it has to load that image on a page, would it execute PHP code? Because then it might not. It might not, but if you could go to the directory in which the file was actually stored, which you can, then you could potentially view that as PHP itself. But if you have a batch, it executes our own PHP code. Oh, that's an idea. Yeah. So just look up the line. The internet knows PHP? Nothing. Nothing ever good just comes from the internet. What's the extension? Except, my Eric, my man. I don't know if that works. Look at what it does first. What should I do? What should I get? Just look for hello world PHP. Literally, I typed in my first PHP program copy and paste. So we upload .thp. Go up to the top. Right here? Save that as .thp. That's too hard. I need to download the file easier. What? I don't want to copy it and paste it for a while. You killed me. That doesn't work. What in the world is the end of this? Oh, I just wrote a different file and saved you the location. Oh, okay. Why did it put in slash a? So, yeah, I got to do the PHP code. Really? Yeah. I'm getting a couldn't move picture. I just saved it as filename.php I was having an error on something. That was an easier way to find it. How'd you find it? So I went to a random photo and I did copy image location and I pasted it and I deleted the filename and I just kind of... Oh, you browsed to it. Yeah. I also removed house and I saw a is that now? No. Hmm? Slash uploads where the uploads go. And it put my upload a folder for the page. Believe it? Then the URL. So I opened up a here, let me find it again. So like I got this image here. Right? The house that I share. If you right click and do copy image location and then you pasted it in. Then it brings you to here. Then you go backwards and you find where it's stored and it put into A. I don't know why... Oh, I know why I named it A because I told it to be called A. That's a good... What is it actually sending back? Burp response. Burp response? Did I find something new? I don't know how to get that. So long? What's the response though? We forwarded. As I go to the hdd history. Yes. All the way along. Is this calling good? Yeah, what's the response? No, no, no. We want to actually make an account. Go back up to... I think... Just do like test, test, test. You won't remember how... Go back here and like control. You won't remember how many users... Control R. Okay. You're intercepting it. Turn it off? Okay. There we go. Get it? Execute your code? And then echo hello. It didn't do that. No, it didn't. Did that try enough? Oh yeah, I just did that Heather. I couldn't figure out what the vulnerability was for the calendar. Because it's... It's using like bin slash date to get the date. I didn't realize that works. If you put in... I think it's just like user slash account or whatever. If you put in the... It takes in the URL like the parameter in the milliseconds or whatever it is. Yeah, like if you do zero for the time, then it gives you January 1st, 1970. But I assume that's like some command injection. I got it, Adam. I got it. Your php code? So here's the... There's the php code. So show me. And then there's the... But right... Right click and use it. You had to make the name of the... File.php Oh, yeah. And then it saves it using that name. That makes more sense. Oh, did Eric buy donuts? Hmm. This makes more sense. No. I'm just uploading something that I named test.php. 25. Do you know how much all the other pieces cost me? Are you filling in the other blanks? Yeah. And hey, that applies to everything, doesn't it? The other piece is definitely better. But we can get... It's between quality and quantity. Do we want more pizza, or do we want better pizza? What did you budget for? What did you budget for? I budgeted for... We'll see. The thing is, is Dr. On gave us less than what I budgeted for. But that's okay. I think we're good at anywhere between 50 and 6... Like, 65 is cap per meeting. And I don't particularly want to hit that cap every meeting. But... We're getting more and more people. So, I don't know how... The pizza value goes down. You might lose people. It's true. What if I start a rival pizza shop? Okay, to devalue the cost of their pizza. Because the demand is less... Yes. Could be a pizza stand. Like a hot dog stand. Just build your brick oven right out there. Have you ever built a... What's it called? No. I've never built anything. What was it? I built a forge one time out of concrete and a metal bucket. Oh, you actually did that? Yeah. And what happened is the first time we fired it up, it exploded. Because there was air trapped in the concrete and that heated up and expanded so much that it caused the concrete to burst. Are you sure when your friend died? Did your friend die? Yes. But it was awesome. So it was okay. I'm sure he would have swapped positions with you. No, no. Eric, why don't you walk us through the pictures? Do you want me to walk you through doing it? Alright, so first thing I did was create a PHP program that had something in it that had to execute so that I'd know. I found it was really easy just to go to the web and ask the web for my first PHP program. But that's good enough. And then inside there I did an echo. Yeah. Perfect. You didn't do Hello World and then end it with the question mark closed tag and save it somewhere. Now, I don't know which I'm going to assume it's file name but I named all of them aaa.php. Oh, I bet I see another vulnerability too. Why is it not getting my session? Okay, so you save the file and then upload it a bit so Daniel, right? Daniel figured out that we, you know, using the traversal that we were using earlier starting at slash upload we're doing it that way. Yeah, it's easier to right click and copy the location of it. Well, except they're all different but there you go and then just click on aaa.php How can I verify that this is actually well, it's not executing any JavaScript code. If you right click and look at it there shouldn't be any of that echo stuff. Yes. If there was, we'd be really excited because maybe we'd be able to. So we can use this program now we could upload a program and we can view every other PHP program that's on the server. We have access to anything we want now. Actually, I mean, we need to look for any other vulnerabilities we want. Wow. No, we still do because we're learning. I mean, can't you get like a reverse shell from there? Yeah. There are PHP shells that you can upload that will give you like a command prompt on there. Oh, yeah. Those are fun. It's kind of cool. Which is way better than my first program. Cool. So what else? What was the there was one that broke every single time? That was the pass check. If you put a semi colon it just breaks the server. Yeah. Because the pass check register to log out and then go to register and then check password string. Yeah. And it does a grep. Yeah, you can see right there. So if you put a semi colon it should end the grep command and then you can start and pass in a new command whatever you want. But the problem that we were having is that it froze every single time. First thing I check is see if I process everything. Hmm. We can see that it's properly escaping it. So that's good. Next I would try. Yeah, so it's pretty clear on this one that it's using a grep. Oh. So what do I, so it's probably calling which to do this, what is it calling out to? Hmm. Yeah, system or exact something. Oh. So how can we prove one way or the other? What do I have to say? Type of semi colon. Type of semi colon and so what what do we expect in here? It just breaks. Well it should, if there's just a semi colon it should still go through but it just It's super breaks. That's the super break. Get the restart done. Yeah. It dies. Because I'll bet because it's waiting, it's waiting for a response. It's waiting there's some, the pipe or something it's, anyways I don't know. If I exploit that would probably be to just go into burp and use the repeater. No, well you can still do it but instead of just doing the semi colon do semi colon true. Okay. So that's a burp thing that's not the docker container is fine. I'm still able to access it. Oh cool. Oh so when you turn off burp and then okay. So now I can check semi colon. You have a blue line up there kind of stopped. Yeah and that's warm again but then I should be able to just go here. It's still working. It's like the browsers are the ones that are messing up. So what'd you do to fix it? Just restart the browser? Why did it have to fix it yet? So is the browser then freaking out? Is there some like parse thing that's happening with it that it just can't? I don't know. Are you trying what you suggested? I'm going to try. Well, no I broke it. I did. I had the same issue so I restarted. Oh and restarting the browser the web browser fixed it. So it's actually the web browser that's having a coronary. Well burpsuit too right? I didn't have to restart burpsuit. I just turned intercept back on. It was fine. I'm going to try. Okay cool. Let's see how we can do this. The way of us testing it, apparently it didn't work. So we can send a repeater. We can make sure that we can send this. And it works. It's like the same food. So likely it's executing this exact command. Right? We want something to execute. How can we tell whether it worked or not? You can see the rest of the cover. I want to show it. Yeah so that's one question right? So do we actually see the output of this command? No. Exactly. We don't see the output. All it says is who is a bad password. What do we do like a really complicated? A reverse connection. It'll say is a bad password why is it a bad password? Because it's not correct. Common words. I just put it in random terms. It also says a bad word. So how can we check if it's not ever giving us the output of this command how can we check what it does? A reverse connection I can't remember what it's called. Use NC to listen on one port and then make a connection back to it. We may be able to try to get to connect back to us. What else? Could we try and pipe the output to like echo or something? No, to a file. And then we can browse the whole directory so we can be able to see the file. Maybe we'll be able to do that. Where are we here? In the root directory? We can't see it here. A problem with that could be that if the web server does not have right permissions to that directory we're not going to be able to write anything out. Do you know a folder? I think we do. Yes, we don't necessarily well, let's see. We can try that. So how are we going to execute it then? So what we're passing in is what it's going to check. So we want to pass in something for it to check, right? Okay. And then pipe and then now pipe that to the directory that we want to go to the uploads directory. What was it? The carrier? I don't know. It was still running? To run it? Yeah, but to run it it's Docker something. So what exact command based on all we know is it going to execute here? How do you know it there? Isn't it going to print that out? I was going to look. It puts it around the carrier and has a dollar sign. So how do you grep caret foo grep caret foo bracket upload slash php then dollar sign space slash ptc slash dictionary dash common dash words. What do we just want to execute this? What does the touchscreen do? It just creates a cloud. What do we just want to execute that? How do you execute a process, let's say you have another process or when you're trying to execute one command Oh, you do a Control Z? That's the state that that's the sleeper in the process. Command line on the command line, not controls. One is run. Run a command inside a command. How do you use the output of one command as the parameter input to another command? Okay, that's different than I was thinking of. You use that to execute the command then you do ampersand ampersand and then it'll just run in the background. One ampersand will run in the background but it still needs to be something to be executed. We still have this. We still have this running in the back. Depending to the end of whatever we put in. Remember, our output is going to be dropped in right here. So give it a fake command. Give it a 7. A 4. A 9. Give it a care of its base. This is going directly to the correct command. So we have to terminate the command before We'll terminate it exactly the way it's terminating it here. To execute a new command. To our semicolon. The problem with and and is that it depends on the expression of the first command. Or pi you like semicolon. So this actually made me what's So I think this is what's happening when we just put in the semicolon here. It's trying to grab and waiting for standard input. Passing a file of what to grab for. So it's going to hang forever. That makes sense. So that's why we need to put the file of where we want to try to read from. So now before we do this, what's our success measure? If the file appears. So this was the command that it executed. We think. Although what's interesting about here. Okay this is a good teaching moment. Alright so let's see if this works. Okay. It did work. But what happened with our input here? What don't we see here that we thought we could see? Another grab. Why not? That means the ands failed. Why? Substitute it out. Yeah they didn't make it. They didn't make it. Saving private and? Private and. Put that big sanitation on your end? Is that sanitation? I don't know. Where do we put our input in? We put. How does this input get into the program? Does that need to be coded? We put it in. Where? Of what? We put it unencoded. What is this? Header. Here's the whole thing. Here's the ML. Here's the ML. Yes. That's the post. This is our request. I know. You are unencoded. No. You are unencoded. So if you are unencoded, what's you are unencoding for parameters? What are these types of characters there? Ampersand. We still need what? Space. Ampersand for plays. Ampersand for stew. Is it nuts? What is a URL made of? The parameters of a URL. The parameters of a URL. Oh, so we did 26 and a half percent. But why? So we did ampersand, graph. Is it being so close? No. Here we're in URL. This is URL. Where are your parameters? Key value pairs separated by amp. Key equals the value and then an ampersand. Key equals the next value. So we put these ampersands in here. The web server thinks we're starting a new URL parameter. And we can actually see it was very lenient and allowed us to do spaces and other things that we probably shouldn't have. Well, how did it execute the graph? Obviously, it did it up to here. So it did it up to here and that was enough for this to work. But if we select this, right click on it and we can say convert selection URL, URL encode, key characters. Now when we send this, we come down here and we can see the command grep-dev-noll-touch-upload-foo ampersand-ampersand grep. So now we actually got the ampersand character into there. Very cool. So we don't even need to run that. No, apparently not. Probably should have just in case. It's like, I think actually what may have happened is we may have touched something called dollar sign maybe and then tried to touch this ETC dictionary's common word file. Those are all path as an argument. So do we have to do this in the repeater or can we type that into the password check line? Kind of, but this is way easier. Got it. So you could type that into the password. Yeah. Do that and then just type that into foo instead of the grep. So do what? So do cat slash ETC slash password or PSS, yeah. And then the carry. Just give it the seven dollar. Yeah. That's fine. You don't have to encode it, too. Oh, yeah. No, you won't. You won't. You'll be alright. Let's see what that looks like. So did foo grow inside? Cat ETC password grep Now we can see all the users on the system. So we can execute any command on the system. Do it alright? I can get the output. How do we know the user we're executing as on the system? You name? Who am I? Why do I think you name? Let's know the name of the system. Yeah. I would do ID. That's another good one. Also, we're really good to probably change this to a pen. That way we're not getting rid of this every time. So we can see we're executing as the www.data user on the system. Well, at least it's not rude. Well, yes, that's a good thing. But this gives us our first toehold in the system, right? The same way as when we uploaded that PHP script. Now we're fundamentally executing code as the www.data user which means now that we're on there, we can put it in backdoor as we get on the system. Then we can try to use that to exploit up to root. Now you could make that pipe for that count. Okay, the other way actually the easiest way to do this, so there's two things I want to go over. So, back takes. What did back takes do in a command like van line? That's what I thought you were getting at earlier. Set process. That actually worked. So what does back takes do? Set process. Just execute this process and use the results as basically the command here right at this point. I don't know if this will work right away. Back takes. Type the word. Yeah. So here we have the LSO. So let's see if there's a good and easy way to test this. But now we have to think of what if the www.data user can't write anywhere? What if there's not an upload directory? How can we get the outputs? Could you... It doesn't have one? And how would we get that data? We can't read a folder or outside of it. Could it SSH to your own server? That might be two to four minutes. That'd be one way. It's a little complicated because we don't yet know if this thing allows outgoing connections. So a key really easy one is time. So what about your ping-c I don't know. I think Google.com. Oh, actually I need a number. So ping-google.com ten times. So if I send this and we can see that we're waiting and it's either timing out or... and if I got rid of these I'd see that the response is immediate. Right? And I can even be even more sure that this is actually what's happening by let's say putting this number in half. You messed up. Or you could run sleep. Yeah, or you could run sleep or anything like that. So a timing-based attack is actually a really great way to be able to tell if you have command execution on the system. Because then you don't care what the security permissions are, right? You don't care if you make outgoing connections or incoming connections. And once you adhere then you can worry about how do I actually use this to exploit things. But fundamentally once you can get it you completely own the system. Completely? So this is command injection of vulnerabilities. We didn't actually talk about this, but this is a really good one to look for. So have we completely own the system? Couldn't you always, but have you found, have you own the system completely and found all of the probabilities? Well, I mean, just because we could actually command doesn't mean that we have a complete ownership. That would be correct. That would be other steps. There's like a config.php file, yeah? That might have database information of the username and password in there. But this is it. I mean once we're here we can do all that stuff. But what's another vulnerability? Inside the command injection? No. In the program. Oh, in the, okay. In that location. Yeah. I mean, I don't know if this counts as a vulnerability, but you can input the same coupon over and over and over again. Walk me through that. In the calendar on, I think it only works on like Fridays and Saturdays. Yeah. It gives you a coupon code for 10% off. And then you can fill your card up with a bunch of pictures. You can continually use the same coupon code. Wait, how did you get Bryce's password? I created this site. It's also Bryce. Because Bryce is not a very bright user. Did you know somebody named Bryce? No comment. And so this is actually getting applied. Okay, you're going to be paying us. I mean, it'll eventually go to like one cent, right? It'll round down eventually to zero, maybe. It seems though, like it's concatenate or it's calculating the percentage based on the last percentage off. Whereas it's not applying, it's not doing a summation of all the percentages. It's applying 10% of that, then getting the new price and applying 10% to that and continually doing that. So is this a vulnerability or not? Well, I'm going to check out and try to subtract the numbers. If the user, if the programmer didn't intend it. I just purchased these pictures that should have caught. So is that a vulnerability? Yes. If you were developing this site, would you want the functionality of a limited coupon submission? No. No, it's clearly a business vulnerability, right? Cool. So that's definitely one. It's called a logic vulnerability. So the problem is that it's not something in the program's code, right? So command injection is when you're able to inject into a command that they're making on the command line to execute arbitrary commands. You can inject into the SQL code. So in both cases, there's a bug in the way they're issuing this command, or they're issuing a SQL query, or they're outputting HTML. Here, the code is working correctly. The problem is the code is not working the way the developer intended it to occur. So these are much more difficult to track. So what else? What about X-Frame option status? So... Is that legal? No. Especially when you have to ask him... Is it? And what is it? Yeah, what is it? What do you mean, what is it? You could tell him, you just ask him. Why is it vulnerable? So you could embed iframes or any other links into a page. So when you click on anything, you're clicking on something else. Basically what that is is click check. What does X-Frame do when you're being able to modify that? How do you set up... X-Frame X-Frame options means that you can't just page itself. So go back to... I know I wanted to get you to find that picture. Yeah, but that's the port that it talks about. What's it called? Services right now. But not when the traffic is... Yeah. Yeah. Oh no, this is the previous page. So yeah, they don't have that. Yeah, but it's old. Let's try going to... recent uploads. Because I can't tell if it's... Anything else? That's it? I found all the bugs. Oh, do I... You guys should especially... Click on options. If you know it was a site that was created that had intentional... We know it was created by a lazy graduate student. So why would they do functionality instead of just... Okay, go back. Go to... Your preferences again. Go to advanced settings. Now, unclick. This is proxy for all critical. And... Delete. I guess there's a vulnerability with cookies. Because I totally just restarted the docker. I mentioned it was able to log right back in. Yeah. Logging in. I'll pick this up for sure. Who's the one who was talking about calendars? That's right. If you go to the... You're using the... I have no idea. You're using the... Let's see if we can... If you go to the... Flash calendars. You need to find something else that's not... Flash calendar. That's not using this, but you can use it Oh, this is just www, you know? I don't know how to get to it, but it's there. Well, it could be called to... Oh, the calendar. Now, you see the date. Well, I was able to... If you go into... How do you get... Yeah, I'm an admin award for this. Yeah, it's trying to... It looks like he has everything correct, but it's not. What are the options on the proxy? Okay, so you're listening on port 8080, so then you have to go over to... Oh, I see. You have to update your settings. Your network settings. This is the problem. So you're telling it you have no pro... Don't use a proxy for localhost. That's the default setting, so... That makes sense. So now if you go back to the browser and refresh, this should go through the proxy data. So, by the way, it's just an intercept. Oh. Well, first you're going to have to click on that. It doesn't let you click on it. Go to the settings right there. Hit restore default. Right click on it. Exit it and try opening it. Oh, wait, what's that in a word? You can access to passwords. They'll just... You might have multiple firsts, right? Oh, exactly. Okay, so I just... It depends on the permissions of that file. I don't know. Can I see my page like in mod777? Yeah. You could. Do you have access to passwords? Yeah. So I'll see if you root. Yeah. Yeah, you should not be able to delete it. Yeah. Can you create a new user? Darn it. What would happen if you deleted ETC password? Would all your users go by by? Yes. Oh, I found one. Mod777 Star. It's on the right. Yep. Yeah, I got it. I got a new one. You got a new one? Right. Yeah. What else? No, but it's not running. Why? Go to your options. See how it says not running? There you go. Does that work? Now turn it on. We'll make sure that your browser is running through the process. Chrome? Okay. What's this? What's this? How long would it take to see it on the entire server? I feel like there has to be a boner. I was running around a lot today. So I traded for a pizza. I traded for a pizza. I was down on my luck. What's this? What's this? It's in calendars. What's this? Where is it? It's super or something. Super you? Yeah, it's just calendars.php. I used to put the my IP address. I messed the server up. Well, you have to change your settings out here. You should open up your browser. This should be changed to 80. Whatever port you're trying to use, 999. On the left, the 80s, you're right. That has to be something we can do. We're going to opt more slowly. I'm going to just be in the end. I know that whole thing. Oh, there you go. Can you buy your own thing? Wow. Negative money? Double check and go back to verb. And go to outfits. Super you 21. Super you 21. Super you 21. Super you 21. Yeah, I got there. I feel like there has to be vulnerability though in the flash or whatever you're going to ask what your favorite color is. Into the contest. I don't have flash installed to do this because I'm not going to install flash. I'm sure there's a vulnerability or there somewhere. We can overwrite the files, since we can write files, and then the Flash can do whatever we want. Yeah, but I don't think that's what the vulnerability is. Well, no, so you would use the picture thing to upload a Flash file, and then you would use the grep to copy it to that location. Yes. And then we could display our own. Yeah, but the vulnerability with the command injection, per se, there should be a vulnerability in the Flash itself. I would assume. Yeah. Otherwise it wouldn't be the only thing on the website made with Flash. Yeah. So what happens if we type it in there? Oh, you won't. Never mind. There we go. Yeah, for whatever this reason, this must have killed the doctor somehow. So now we're trying to browser it. That's what I'm saying. There we go. We exploit Flash without installing Flash. Don't want to install Flash. What browser is this? Really? Then if it's Firefox, we're not trying to go into... What's your favorite? How does... Mine's Aqua Merlin. And... Thank you. So I think Chrome prevented it from doing it. Yep, that works. Another reflection. Oh, in the color thing? Well, I mean you could just put it probably in the color thing, but if you just modify the URL and type it in, it does it. I see what you're saying. Okay. So actually... I have no idea. About the smallest... So I'm doing... Wait. XSS? Oh wait, I didn't do it. Why didn't you do it? Oh, I got a super sneaky one. Because you're a sushi? I don't know what you can do with it. Actually, it doesn't work if you do it in here though. If you get someone... What? Eric's part time bird? This is really exact, because it encodes the... This is actually really exact because it encodes the text when you do it. Why is this not working now? Oh, I'm in Chrome. That's why it's not working. I can't do it yet. No response? Yeah, no response. Chrome is smart. Chrome will let me do it. So... So, so... Oh yeah, it happens. Wait, I have to get both flash. What did you have to write it down before? What does that mean? Why was it... Why did Adam say it was illegal? Because he wants us to do it in here. It's like using Chegg. Chegg? Oh, I see. Hopefully you're exploiting the website. Wait, I didn't want that. Since it's so much fun. How's studying been? Good studying? Adam, did you go over the admin vulnerability? No. Well, just so you can get into the admin area with admin admin? Nope, I did not. But why don't you talk to us about it? Okay. Did you find that out by testing a piece of paper that's in front of you? Yes, I found it out last week. Like most of these things. But... So where did you find the admin link? Well, it's at the bottom of, I think, every page. It's in there. It's just admin. For all you guys who don't know, a lot of people are really lazy. And so a great thing to try in all admin and password areas. Or admin admin or admin password or things like that. Yeah. It's a surprise someone mentioned that. Yeah, me too. So, now we can... Now you win. Now we win. Oh, but it's broken. It's broken. It's almost like there wasn't enough time to finish this admin. And there's a vulnerability in the brokenness. Definitely one vulnerability, right? Default username passwords. This is what you should try every single time. Right? Awesome. All right. What else? You can do cross-site and me flash thingy on me. Yeah, how can you guys even say that first of all? I just found it. Like I only loaded the web page in Chrome so I could do it. It's an uninstalled flash in Firefox. Where is it? Home? It's... Where is that? It's... The first page when you log in, I don't... Yeah, it's slash-home.php. Yeah. Why don't you tell me the URL of this guest? Slash-submit-name.php. Question mark of value equals... This is why you need to be able to get any flash content or anything else on the page that may tell you other links. That is just a reflected though, right? Yes. Yeah. What's the worst you can do with reflected? We will explore that and figure out a good way for us to test that. Okay. Because I just couldn't think of anything off the top of my head. Because it only... Because only you can send... So we talked about this before you came. But I can send... I can trick you to click on this link. If I get you to click on this link... Oh, I see. ...that I wrote executes in your browser. That makes sense. Okay, I can see that. So it's not... It's hard to have as big an impact as a stored, but you can still... It's just... Essentially just as that, because I can get you to trick on... Click on anything, right? The other thing is... That's why that exists. I can URL and code the heck out of this whole string that I'm passing in, so you would not know that it looks like slash-script or anything like that. It looks like any old link. I have another one if you want. So in the admin area. You have a great viewable admin area. Yes, now log in, please, using your fancy password. Create new user. Now, it's interesting. The URL at the top says page create. And the PHP name is create.php. So what if you made it fff? Page equals ffff. Oh, so what's happening is it's including any PHP page that's on the system. And you can do... That's through the page equals? Yeah, pretty much anything you want. So it's similar to query, but for PHP pages. So it's basically just doing a strict... It's just looking at the get parameter, which is page, and then just putting it into this require once, which is a PHP. For including... You use it in PHP to include, so you don't like... You can include a page dynamically or whatever. You could do... See, upload your own page. Sure, we've done that. You have to upload to about half the... But now the page no longer has to have a .php. Oh, yeah, it would have to have a .php. But... So let's look... So I have this upload this one, right? Yeah. So you're saying if I do what? That minus the PHP, it should... You have to navigate up a couple directories, though. This one. Yeah, we'll have to figure out... Actually, delete the last PHP. This is doubly... But now we have to go up and... Is it up two or up? It's up. Yeah, up one. So how... Okay, so now we're going to... I might have to just tell you there's no way we're going to get this on our own. But let's say I couldn't upload something with the name .php. Right. Right? So which means that I need to control exactly which file we're opening, but what is the program doing to whatever I give as input to this page parameter? Appending .php? Appending .php. So we can use a horrible, horrible fact... Well, you already had PHP. It worked. You didn't get .php php. It was a real error. Oh. They included null in the URL encoding. So what are you trying to do with null? Terminate the string right there. Yeah. So the idea is the %00 is the null character, and so when your string is concatenated together in PHP, the string is like... ..slash, ..slash, .edc.slash, password, the null byte, and then .php. But when it gets passed to require, it... Require uses C functions in order to do what it's doing, so it only goes up until that zero character. I wouldn't have gotten that one. Yeah. It's a classic CTF style thing. Why does it matter if it goes up to that zero character? Because we're trying to get it to do something other than .php. Right. Because depending on .php, something weird is going on here. But what are you trying to do with ETC password? I'm trying to get an ETC password file. To display it? Yeah. Oh, okay. So require once takes whatever you give it, and outputs it as if it was... Well, interprets it as if it was PHP. So if you just take a regular text file, if it doesn't have any start PHP tags and end PHP tags, it will just output whatever is there. Okay. Just do a slash that seems to be trying to go up. Right? Yeah, something's going wrong. This maybe doesn't work the way I thought it was doing it. Maybe they fixed it. Yeah. Maybe they fixed it. Well, no, no, no. Maybe mod PHP fixed it and doesn't pass that through anymore. Or maybe they require... I mean, do you have the original... Are you using the same version? No. I don't think so. Yeah. Mod PHP. I didn't have enough time to see if we were actually doing the same. Exactly. Set up. Okay. That is interesting. That's a cool capability that kind of... There's actually... There can be another thing here. Let me... So one cool thing to do whenever you can upload a PHP file to a page, how do we do that and upload? Yeah. Too much source. Somebody take me to... Break myself. Yeah. On your computer. It's ended and uploaded. We got your IP address. We've been connecting to port 8a, 8a on your computer. Good thing it's in a docker. Where are you trying to go? Just go to the sites. The regular website. Isn't comb.php a... Yes. Go back one? You broke something. We broke something with that require. It's my guess. It shouldn't be permanent though. Not if you restart the server. Another way to look at this, to realize that, this is another way to test for this. So here we can see we're on the index. So Aaron figured it out from going to create page, which you only could go to if you knew the username and password. If you're just going to be outside, you can see this index.php page, and yet there's this page equals login. So one way to say is, is there a login.php page? I don't know if my computer's melting or what's going on. So getadmin.login.php gave me the same admin area page. So that's kind of a hint that, it's a very big hint that, oh man, there's a login.php page that is exactly the same thing as accessing the index.php page with the page equals login. That makes sense. We're just by changing this parameter, see if we can tell you, I mean, that would be the similar thing. That it's clearly trying to feed this. So you could do a page equals from the page. Yes, there is our index.php page on file that's just going to require another page file. It's like a C header file. So you can put the eight hand, because I got a five. That's not how it's written. So you just kind of have to figure it out based on the URL and inclusion of the login and security review. Looks like you can also just go straight to home.php. It's not actually doing anything else. Well here, I've already logged in, but we can double check that how. So you can take the home page, and how are we going to change this to test that that I can just access it directly. Remove the session. Change the session or remove it or something. Yeah, just remove the cookies. No. But actually it doesn't. Oh, it didn't actually work. So we have three C other. So the problem is you've already logged in. Okay, it's just asking you to log in even though you're already logged in. Home doesn't, maybe create does though. You were going to upload something. Oh yeah, I was going to show you something cool. Okay. I'm not going to show it. Give us some time to work. No, it's not a vulnerability. PHP, it's showing you a PHP info which shows you which is a lot. So PHP info if you can get this to run, you can get a lot of cool things to run. Here's my test.php. I think it's correct syntax just as PHP info. Uploading it. Overcharging for it. Your computers. I don't know. Seeing the PHP info might be invaluable. Oh, is it not with underscore? I think so. Remembering the underscore that apparently doesn't exist. Well this showed me with phantom underscores. It's a nice challenge. What was that? No, he just navigated to a page that I thought was on this but I couldn't tell if it was on this. Somebody's computer is having a file. There we go. PHP info tells you everything about the PHP that is running on this page. So you can see the exact version of the operating system, what files it's running, when it was compiled. Important things in here are... This one. Okay. So this one doesn't have it. So there's two actually really important values here that you can play with. One is allow URL include. So this is enabled which I should probably change the setting so it doesn't enable it. This means that we can put in here an HTTP URL and it will go and request that page and execute it as if it was PHP code. You see that it's saying that it can't do it because of the allow URL include. But if that value is changed to yes or some people sometimes did you could then fetch any page download that and execute it as PHP. But it's like it falls off. It depends on the history of the PHP installation. I think in older versions it was enabled by default. If you were running a version and sent them a Bank of America URL you have the whole point there I think be clear to everybody if you do that you can run on the server whatever code you want. So you don't have to upload a PHP script somewhere else to a server you can control it's just a text file that says delete everything. And now you're executing your shell or doing whatever you want there. And it also works with it's actually enabled by default. So whenever they open a file if they're opening a file that you control what they're going to open you can do all kinds of cool tricks. You can like fetch things you can make FTP requests you can like this one has supported protocols and wrappers. I'd use this for one CTF that was like insane. You can access files from the local file system you can access HTTP URLs FTP you can access various PHP streams which is like standard input standard output Zlib you can compress things some of them have SSH2 SSH access you can do all kinds of cool stuff with this. What is running that open? The PHP code the PHP code calls F open with user input you can control what it opens there's the server you're attacking but that's if it has URL in it URL include if it has this allow URL F open so this would be like open up this file read it and send it to you but with that you can also open a PHP so then what you could do is it's a web request from their server so you could use that to try to port scan what ports are open on their local machine maybe there's a they're running some management interface that's only available from local host so if you're connecting to it locally you can access it that happens a lot you can even try to access other servers on its internal network from there to try to see what other computers are on there so wait what's the difference between allow URL F open F open is the F open family functions of opening a file include require those kind of which are like take this PHP code and execute it so what is the difference of what you can do with each of those so with both of them you can open up like fdp or hdp F open by default just reads it so it reads it and does whatever the program does like reopening a file F open include opens it it says execute this right here as if it was PHP code so which one's like more of a security issue include open because you can just execute arbitrary code from any website this thing is any website if it's not open then anywhere on their server how common are so you can yeah you can also use it to cts is pretty common real life real life still probably pretty common wait cts aren't real life did you get a letter from the NSA oh the challenge the I got that cool okay so level 2 from here now that we've kind of explored a lot of level 5 there's still one very tricky there's also we'll add you to our the one that's tricky does it need to be chained with another okay I see how you want to play this maybe next year so that's what we'll do is I think we'll dig more into single injection so we'll look at fancier types of single injection vulnerabilities and how we can bypass things and track things and do all kinds of cool stuff