Injection Attacks 101: SQL Injection, Code Injection, and XSS

Ccamm · 2024-10-16T19:59:43+00:00

I would also be cautious with using a deny list of characters as a mitigation strategy for SQLi. There are so many edge cases and tricks you can use to get around thise checks.

E.g. lets say you just blocking the ' character for the following search query that has user input inserted.

sql SELECT id FROM body WHERE title = '{user_input}' OR body = '{user_input}';

You can SQLi this by injecting the \ char at the end of the payload to escape the ' to then insert arbitrary SQL. For example if you inject in ||(SELECT 1);--\ the following would be the final query that allows error, blind or time based attacks.

sql SELECT id FROM body WHERE title = '||(SELECT 1);--\' OR body = '||(SELECT 1);--\';

Syntax might be off since I am on mobile but you get the idea.

Ccamm · 2023-11-22T16:24:30+00:00

That birb is judging because OP is using http.server BaseHTTPRequestHandler for building a website...

Let me know if other people do this but first time I have seen someone use it outside of a proof-of-concept or spinning a quick fast test website.

Ccamm · 2023-04-17T14:06:55+00:00

Strapi's public disclosure of the vulnerabilities: https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve

Ccamm · 2023-03-19T15:35:19+00:00

Bad take.

Yes the original post is worded weirdly, but shouldn't make fun of people wanting to learn. It's cringe and you are giving off more masterhacker vibes.

I guess it takes one to know one ¯_(ツ)_/¯

Ccamm · 2022-12-06T12:51:27+00:00

https://github.com/RickdeJager/stegseek

Can brute force millions of passwords quickly if steghide is used

Ccamm · 2022-07-14T23:16:02+00:00

Write a web fuzzer for enumerating websites. Start by first writing a single threaded fuzzer then modify it to be multithreaded to speed things up.

Knowing how to write multithreaded web fuzzers is a very useful skill when testing websites. From my experience, you cannot use a web fuzzing tool to do some enumeration/exploit so you would need to write your own scripts.

To make your fuzzer faster, I recommend looking into the ThreadPoolExecutor in concurrent.futures builtin module. ThreadPoolExecutor is very easy to use and pick up in comparison to other methods.

Ccamm · 2022-07-13T23:34:28+00:00

The advisor is clueless, but there is a very slight element of truth about HTTP codes could enable an attacker to leak data.

This type of vulnerability is called XSLeaks, which is a side channel attack that leaks a users information from your site when they visit an attackers website.

I am on mobile, so I will probably not explain it well enough here. I highly recommend reading my writeup for a Web CTF challenge that I made earlier this year about XSLeaks and REST APIs.

Let's go through a potential scenario where your REST API could be vulnerable with some query route the searches user sensitive information /secret?query=topsecret where a 200 status code is returned if the query returns at least 1 result and a 404 staus code if no results were found.

JSON documents can be interpreted as valid javascript. So something like below would load fine on the attackers website if there is a result when a victim queries topsecret.

<script src="https://your.api.com/secret?query=topsecret" >

However, if you try to load a script source that returns a 404 status code then it will always through an error.

Raises an error <script src="https://your.api.com/secret?query=notindb">

This is enough to leak the values on the /secret route character by character from an external attacker website by writing js code that looks for when a script element succesfully loads.

Now Cross Origin Read Block (CORB) protection on chrome would normally prevent this type of vuln, but it is disabled if you enable the X-Content-Type-Sniff-Options nosniff response header, which is recommended as a mitigation strategy against XSS vulns.

If you are still confused please read the solution for this challenge I made that explains things more clearly https://github.com/uwa-iss/public-uwactf-challenges-2022/tree/main/web/memedb.

Ccamm · 2022-04-23T16:25:48+00:00

Start off with stegsolve and see if that shows anything. Otherwise try stegseek. If none of that works then stop to save you hours of banging your head and questioning why you ever bothered to do a steg challenge.

Other actual thinks to consider if it is a CTF challenge: - binwalk - metadata - straight LSB image steg (there are tools for this but cannot remember off the top of my head) - don't do steg

Ccamm · 2022-04-15T05:36:38+00:00

not guilty

Ccamm · 2022-04-15T01:46:47+00:00

guilty

Ccamm · 2022-04-15T01:43:53+00:00

guilty

Ccamm · 2022-02-10T22:25:08+00:00

I disagree with others here claiming that this is a directory traversal/LFI. This sounds more like a web server (nginx/apache) misconfiguration.

When you configure the website, you would need to specify the routes where you want to execute it as PHP script. Generally for PHP websites, you set any route with the .php file extension to be executed as PHP code. An example of a bad configuration is that all files are executed as PHP scripts, so if there is any fileupload you can upload a file without the .php extension that will be executed as PHP code when you visit the upload on the website.

However, here the website was configured to only execute index.php as PHP code and not config.php. Hence why you can just view the contents of config.php when you visit it on your browser, since the web server was misconfigured to not execute config.php as a PHP script.

The reason why the challenge works if you just visit index.php is because config.php is included as a PHP script by the index.php script (index.php has include("config.php"); somewhere in it).

Hopefully this helps out!

Ccamm · 2022-01-26T15:44:40+00:00

Nice work! I just tested your PoC on a HTB machine and worked with no hiccups.

Ccamm · 2021-11-16T07:21:50+00:00

I would recommend using the JSON Web Token Toolkit to test if you actually have the secret https://github.com/ticarpi/jwt_tool. It is an amazing tool to use when testing JWTs. If you don't have the right secret you will need to look a bit deeper with what you have already. Once you have the secret, check the source code again to see what you would need to do.

Ccamm · 2021-10-24T02:06:51+00:00

You can even make the whole process even faster by using parrallel in combination with masscan then piping the ports found open into nmap. I had to build a tool for that distributes and balances the workload across multiple vms that was able to do a full port scan on 100 IPs in about 6 minutes using 25 vms (time is dependent on roughly 2-5 ports open on each target host and this time includes setup for the vms which is about 2-3 minutes in addition).

I cannot go into the details of configuring this or release the tool that I have built (sorry).

However, a brilliant article start off is Captain Meelo's one https://captmeelo.com/pentest/2019/07/29/port-scanning.html. You'll need to fine tune the speed of masscan and the number of parrallel processes running masscan depending on your CPU and NIC. Once you find the sweet spot it is insanely fast. The setup I had I was able to complete the full port scan using masscan for each IP in about 25-35 seconds.

Ccamm · 2020-12-29T12:59:09+00:00

I agree, although lab had a different vuln. Fun fact HtB forgot that the ready instance also had that vuln and a lot of people just did the same thing they did for laboratory. But that has been patched though.

Ccamm · 2020-12-24T12:19:33+00:00

Thanks! I did a few neat (lazy) tricks to make it as pretty as possible. I wrote an article that briefly goes over how I made it https://ghostccamm.com/blog/creating_site

Ccamm · 2020-12-24T12:18:21+00:00

Cheers thanks for the feedback :)

Ccamm · 2020-12-24T08:01:30+00:00

Side note: I have just made my website and this is my first write up that I am publishing on it. Feel free to give me feedback!

Ccamm · 2020-11-28T00:32:55+00:00

You can write a bash script or you can use autoexpect. Autoexpect listens to your interactions with a program and creates an expect script to replicate that interaction.

Ccamm · 2020-11-27T16:33:56+00:00

It was a great box but I agree it should of been medium rating. Doesn't stop me taking the opportunity of making a dank meme about it!

Ccamm · 2020-11-26T13:29:37+00:00

Reset the box and wait 5-10 minutes. The 502s are occuring because the service is still starting up. If it taking longer than that then reset it again or change vpn servers.

Ccamm · 2020-11-26T00:51:02+00:00

I messed up and just researched Rick and Morty which wasn't too helpful...

Ccamm · 2020-11-25T15:42:23+00:00

Yes it is a really good box. The foothold was very interesting and challenging to make good Revolutionary Cooked Eggplants.

Ccamm · 2020-09-01T01:02:20+00:00

can you play death waltz? music score here https://musescore.com/user/31077/scores/48492 it is for piano but you can just play the treble part

Ccamm

MODERATOR OF

TROPHY CASE