SECURECODE: 1 : OSWE Prep

 SECURECODE: 1 : OSWE Prep








SECURECODE: 1  it's OSWE Like machine which need to do some code reviwing and detect  vulnerabilities and chained together to gain final target which remote code execution (RCE). 


VM: SecureCode: 1 ~ VulnHub

information about VM: SecureCode1: an OSWE-like Machine | by Ahmed ElTijani | SUDOROOT | Medium 



First we do some code review to detect vulnerabilities in source code  applications  http://192.168.122.112/source_code.zip.




we go page under construction next we going to review directory structure.





open http://192.168.122.112/login/index.php will redirect to login page.






next will explore sql database dump which includes database structure and tables names which will help us to build queries to dump credentials from database.




next will  import these sql databases backup in mysql  in order to  explore sql statment for this will use online solution MySQL online - Test SQL queries (extendsclass.com)  which give up ability to interacting with databases.








we get admin user and hash for password and id_level which set to 1 for admin and blank  token  next will go to explore source code in order to find vulnerability which give ability to bypass login page.






mysqli_real_escape_string it's escape special characters in strings in sql statement.

strings to be escaped  NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.

so vulnerable query  here when developer does't but $id in single quotes which make it's easy for insert query  without needing for breaking statement.



$data = mysqli_query($conn, "SELECT * FROM item WHERE id = $id");  //SQL injection 

next step to build sql statement for extract data if result include data from database it will return 404 status code.


set id to 1 which exist in database will return 404 as true result.



set id to 10 which does't exist in database will return 302  status code as false result







through true and false we can build our exploit for dump database before that we must take into account single quotes in our exploit query.


wil ascii function to bypass single quotes next test our exploit query.

or (select ascii(substr((select username from user where id_level=1),1,1)))=97=1 limit 1  = 404 status code  

or (select ascii(substr((select username from user where id_level=1),1,1)))=98=1 limit 1 = 302  status code



build exploit part to extract data from database.









in order to bypass login page we have option to reset password which will send token in email and save in database.

open http://192.168.122.112/login/resetPassword.php and reset admin token.


view source code in order to understand how rest token process works.


edit code to extract  token for reset password.


request_token function will send http request 






first extract admin user and save extracted data and use it in requesting token for admin.



.next use extracted token to reset password we generate random password



http://192.168.122.112/login/doResetPassword.php?token=TOKEN





reset admin password and login using new password.


   in order to automated process  by implement reset_admin_password function









.final part will be upload shell through add items first review source code


 

first filter it's based on file extension  and defined blacklisted and check file content will define. 
image magic bytes in beginning in our web shell.



extension =phar

magic hash = GIF89a;








POC





Full Exploit




Comments

Post a Comment

Popular posts from this blog

Code injection

Image
Code injection hi guys am going to solve  PentesterLab Code injection  if you dont know about code injection it's one of big bugs that let hacker to execute codes in server i will give link explain all information about this bug now let us begin in  this  section include four task and how to get RCE  and execute php code . this first challenge let pwn it    pentesters  try to get error simple way to add double quotes  oh nice you can see it's use eval ,eval one of function in php that when you pass string it convert it to php code now we get error let try to understand how it work here if you see in second picture it's expecting ! and if you compare it with first one you can see !!! if you change name in parameter it's still add !!! to end  after reversing code  i can write simple code act like this  now we have simple code now let to try to fix error  if you add "." it fix error and
Read more

hacky holidays h1 CTF

Image
hacky holidays  h1 CTF this year Hackerone hosted CTF it's amazing CTF i will   write write up for  interesting challenges  Swag Shop Get your Grinch Merch! Try and find a way to pull the Grinch's personal details from the online shop this challenge it's 100% real life which in order to get flag we must enumeration grinch profile. first we must enumeration target page and do some spider pages by using burpsuite spider     after spider target you notice api   endpoints that use in application we must FUZZ endpoint to find hidden endpoints using burpsuite intruder or any tools you  like.   you notice user  endpoint status code and response message  and sessions endpoint which response with  JWT Tokens  which will going to decode it and find information using  jwt io .  after decode jwt tokens we find one has user name value          now back to user endpoint which we need  fuzz parameters using burpsuite intruder. we notice we have different status code & response length
Read more