This shows you the differences between two versions of the page.
isc:labs:09 [2023/12/10 16:19] alexandru.ghita2611 [Tasks] |
isc:labs:09 [2024/04/30 14:07] (current) radu.mantu |
||
---|---|---|---|
Line 100: | Line 100: | ||
trick to accomplish this. | trick to accomplish this. | ||
- | First, copy your private key from **fep** to your workstation (since | + | You should already have a [[:isc:info:virtualmachine|SSH keypair for authenticating with fep & OpenStack]]: |
- | authentication with the VM will be realized from your PC) \\ | + | |
- | (//either do this, or assign a key existing on your machine to your OpenStack | + | |
- | account and VM instance)//: | + | |
- | <code bash> | + | |
- | scp <first.lastname>@fep.grid.pub.ro:.ssh/id_rsa ~/.ssh/fep_rsa # (for *nixes) | + | |
- | chmod 700 ~/.ssh/fep_rsa # required on *nix systems | + | |
- | </code> | + | |
- | Make sure to replace ''id_rsa'' from the remote server (fep) with your actual key name (if you didn't use the | + | |
- | default one). If you're on Windows / not WSL, please download the key to a path inside your home (last ''scp'' argument). | + | |
- | Connect to the VM using (**ssh on Linux / WSL**): | + | We will be using ''ssh''`s Local Port Forwarding feature, requesting it to pass all packets from ''localhost:8080'' through the SSH tunnel to the destination VM on ''8080'': |
- | <code bash> | + | |
- | ssh -i <fep key path> -L "8080:localhost:8080" -o 'ProxyCommand=ssh <first.lastname>@fep.grid.pub.ro -W %h:%p' student@10.9.X.Y | + | |
- | # after entering the password for fep and trusting the server's public key, | + | |
- | # you should see the 'student@host:~$' prompt! | + | |
- | </code> | + | |
- | If you use **OpenSSH for Windows**, you must use the full path for ''ProxyCommand'': | ||
<code bash> | <code bash> | ||
- | ssh -i <fep key path> -L "8080:localhost:8080" -o "ProxyCommand=C:\Windows\System32\OpenSSH\ssh.exe <first.lastname>@fep.grid.pub.ro -W %h:%p" student@10.9.X.Y | + | ssh -L "8080:localhost:8080" -J <first.lastname>@fep.grid.pub.ro student@10.9.X.Y |
</code> | </code> | ||
- | |||
- | This uses //fep.grid.pub.ro// as a proxy (''-W'' is stdin/stdout forwarding), | ||
- | successfully connecting to the SSH server running on the OpenStack VM | ||
- | (inaccessible otherwise) and requesting it to forward (''-L <local | ||
- | addr:port>:<remote addr:port>'') its HTTP server port (''localhost:8080'') back | ||
- | to your physical machine (same port, for convenience)! | ||
- | |||
- | **Note:** replace the ''<fep key path>'', ''<first.lastname>'' and ''X.Y'' placeholders with the | ||
- | actual path to your SSH key / username / VM IP address!\\ | ||
- | You can use the same trick to forward any port from a OpenStack VM to your | ||
- | local host! | ||
- | |||
- | <hidden> | ||
- | For this lab, **you are required to take a screenshot proving each task's | ||
- | completeness** (usually, of the exploited webpage). | ||
- | For the SQL injection tasks, it would be nice if you saved a list of successful | ||
- | inputs in a .txt file. For the XSS / CSRF injection tasks, please include the | ||
- | HTML / JavaScript code you used into the archive. | ||
- | |||
- | Please upload the screenshots / readme to [[https://curs.upb.ro/mod/assign/view.php?id=280251|This Moodle Assignment]]. | ||
- | </hidden> | ||
===== Tasks ===== | ===== Tasks ===== | ||
Line 165: | Line 129: | ||
'SELECT <some columns> FROM users WHERE username = ' + username + ' AND password = ' + password + ' LIMIT 1;' | 'SELECT <some columns> FROM users WHERE username = ' + username + ' AND password = ' + password + ' LIMIT 1;' | ||
</code> | </code> | ||
- | * Is pretty obvious that the strings provided are not escaped, and we can abuse this misconfiguration. Check the links in the beginning! | + | * Is pretty obvious that the strings provided are not escaped and we can abuse this misconfiguration. Check the links in the beginning! |
* If you ever want to exit the MySQL server:<code> | * If you ever want to exit the MySQL server:<code> | ||
docker kill mysql | docker kill mysql | ||
Line 179: | Line 143: | ||
* What if I told you there is a hidden **flag** inside the database? Find it! | * What if I told you there is a hidden **flag** inside the database? Find it! | ||
* Hint: where do you have query feedback inside the application? try to do an ''UNION'' hack! | * Hint: where do you have query feedback inside the application? try to do an ''UNION'' hack! | ||
- | * Note: Since we will be using the same query as the one used in the first exercise, we must first find the exact number of columns used. We are aiming at building a query of this format: <code sql> | + | * Note: Since we will be using the same query as the one used in the first exercise, we must first find the exact number of columns provided to the statement. We are aiming at building a query of this format: <code sql> |
- | SELECT col1, col2, ..., colN from users WHERE username ='' UNION SELECT col1, col2, ... , colN-1, desired_column from desired_database --;</code> | + | SELECT col1, col2, ..., colN from users WHERE username ='' UNION SELECT col1, col2, ... , colN-1, desired_column from desired_database_table --;</code> |
* Note: for UNION to work, you must SELECT exactly the same number of columns as in the original query! | * Note: for UNION to work, you must SELECT exactly the same number of columns as in the original query! | ||
- | * After finding out the exact number of columns, we can use ''GROUP_CONCAT'' technique to extract the available database tables\\ Check out the cheatsheets from the Background section! (P.S. database schema is ''journalapp'') | + | * After finding out the exact number of columns, we can use ''GROUP_CONCAT'' technique to extract the available database table names.\\ Check out the cheatsheets from the Background section! (P.S. database schema is ''journalapp'') |
- | * Hint: <code>UNION SELECT col1, col2, ... , colN-1, GROUP_CONCAT(<what are we looking for in the schema>) FROM information_schema.tables WHERE table_schema='<our schema name>' </code> \\It is not necessary to know the exact names of 'col1', 'col2', ... 'colN-1'. You can replace it with numbers or '@'. | + | * Hint: <code>UNION SELECT col1, col2, ... , colN-1, GROUP_CONCAT(<what are we looking for in the schema>) FROM information_schema.tables WHERE table_schema='<our schema name>' </code> \\ It is not necessary to know the exact names of 'col1', 'col2', ... 'colN-1'. You can replace it with numbers or '@'. |
* Got any table that catches your eye? We are going to use ''GROUP_CONCAT'' again, but this time we are trying to find the name of the columns of our desired table. | * Got any table that catches your eye? We are going to use ''GROUP_CONCAT'' again, but this time we are trying to find the name of the columns of our desired table. | ||
* Hint: <code>UNION SELECT col1, col2, ... , colN-1, GROUP_CONCAT(<what are we looking for in the table>) FROM information_schema.columns WHERE table_name='<our table name>' </code> | * Hint: <code>UNION SELECT col1, col2, ... , colN-1, GROUP_CONCAT(<what are we looking for in the table>) FROM information_schema.columns WHERE table_name='<our table name>' </code> | ||
+ | * Got the column name? Good. Now it should be nothing more than a simple select query :) | ||
+ | * Hint: <code>UNION SELECT col1, col2, ... , colN-1, <desired column name> FROM <desired table name></code> | ||
<solution -hidden> | <solution -hidden> | ||
Line 200: | Line 166: | ||
<script>alert("XSS!");</script> | <script>alert("XSS!");</script> | ||
</code> | </code> | ||
- | * **Hint**: You can use absolute element positioning, e.g.: ''<div style="position: absolute; top: -300px;left:100px;"> insert your img here </div>''. Try it with the browser's developer console / inspect element first before injecting it inside a message ;) | + | * **Hint**: You can use absolute element positioning, e.g.: ''<div style=%%"%%position: absolute; top: -300px;left:100px;%%"%%> insert your img here </div>''. Try it with the browser's developer console / inspect element first before injecting it inside a message ;) \\ [[https://www.w3schools.com/css/css_positioning.asp]] |
+ | * Hint: Console can be accessed either by right-clicking and choosing Inspect or by hitting F12 on your keyboard and navigating to 'Console' tab. | ||
+ | * Note: Try appending code to the document's body. | ||
<solution -hidden> | <solution -hidden> |