Category: Web

HaXeZ – World Wide Web

The World Wide Web is one of our greatest achievements. It is up there with putting a person on the moon. The web is a vast resource of information, social interaction, recreation, and many other activities. It can also be a dangerous place where you can have your identity stolen, your bank accounts cleaned out, your computer infected and many other undesirable things. haXez is here to help you navigate your way through the World Wide Web securely by investigating the types of attacks that could cause you problems.

Hack This Site: Extended Basic – Mission 6

Posted on June 7, 2022March 15, 2023 by Jonobi Musashi

Hello World and welcome to HaXeZ, today we’re going to be looking at Hack This Site ExtBasic 6. Solving this challenge requires some basic knowledge of PHP or any other language for that matter. It’s a simple challenge that shows how poorly coded web application authentication mechanisms can be bypassed.

The Challenge

The image below shows the PHP that makes up the authentication mechanism. Furthermore, This is the code that we need to exploit in order to bypass the authentication mechanism. The introduction text at the top explains that the sysadmin is a noob and that the script is located at http://moo.com/moo.php. Therefore, to solve this challenge we need to append the correct syntax to the end of the URL and submit it to the submission form.

The PHP Code

The snippet below is the exact code we’re going to be exploiting. Furthermore, there is no backend database to worry about, just some simple PHP logic that we can leverage for our own nefarious purposes.

<?php
        $user = $_GET['user'];
        $pass = $_GET['pass'];
        if (isAuthed($user,$pass))
        {
                $passed=TRUE;
        }
        if ($passed==TRUE)
        {
                echo 'you win';
        }
?>
        <form action="me.php" method="get">
        <input type="text" name="user" />
        <input type="password" name="pass" />
        </form>
<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

Breaking Down The Code

We’re going to break the code down line by line in order to solve this challenge. Once we understand what the code is doing, we will be able to use its own logic against it and bypass authentication.

First, the code starts with it a tag telling us what language it is.

<?php

Next, we have two variables being set from user input. The $user and $pass variables are populated by the values of ‘user’ and ‘pass’. This is more evident later on when looking at the HTML form.

$user = $_GET['user'];
$pass = $_GET['pass'];

This is where the logic beings. When the user submits their username and password, the data is passed to an if statement. If the values of the variables ‘$user’ and ‘$pass’ are correct then the variable ‘$passed’ is set to true.

if (isAuthed($user,$pass))
{
        $passed=TRUE;
}

After that, the application uses another if statement to check whether the value of the variable ‘$passed’ is set to true. If ‘$passed’ is set to true then the application echos out “you win”. This also ends the first section of PHP.

if ($passed==TRUE)
{
        echo 'you win';
}
?>

Now, we move on to the HTML. This is the login form that the user will send when loading the page in their browser. It is fairly standard and just performs a get request to me.php. The contents of the get request or the values of the input for ‘user’ and ‘password’. The user input type is text and the password input type is password.

<form action="me.php" method="get">
<input type="text" name="user" />
<input type="password" name="pass" />
</form>

Finally, we have the last section of PHP. This is the function that checks to see whether the username and password are correct. This function compares the values of variables ‘$user’ and ‘$pass’ with the variables ‘$a’ and ‘$b’. If they match then it is the first if statement is executed.

<?php
        function isAuthed($a,$b)
        {
                return FALSE;
        }
?>

The Solution

With that rather long explanation out the way, we can now move on to solving the challenge. It’s pretty simple if you know how to PHP site URL’s work. We know that in order for us to authenticate, the variable ‘$passed’ needs to be set to ‘TRUE’

PHP allows you to specify variables and their contents in the URL. For example, a dynamic PHP website using a CMS like WordPress may have a URL like HTTP://site.com/index.php?page=1. The question mark indicates that what follows is a variable and in this case, the variable is ‘$page’. Furthermore, we can specify that we want the value of the page variable to be 1.

With this in mind, we can take the provided URL of HTTP://moo.com/moo.php and append a question mark followed by the variable passed equals TRUE, as seen below.

http://moo.com/moo.php?passed=TRUE

Submitting this to the input box will solve the challenge.

PortSwigger: SQL injection attack, listing the database contents on Oracle

Posted on May 15, 2022May 15, 2022 by Jonobi Musashi

Hello world, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 8. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password. It’s the same as the last lab except this time we need to alter our syntax as we’re doing it against an Oracle database.

SQL injection attack, listing the database contents on Oracle

So as stated in the introduction, we need to use Oracle database syntax to perform a UNION-based SQL injection to retrieve the contents of the database. More specifically, we need to dump the contents of the users’ table and log in to the application as the administrator in order to solve the lab.

The Application

First things first, we need to explore the familiar application. it’s exactly the same as with the previous lab. There is a navigation menu at the top of the page and some product details underneath. It appears there are two columns, which we can validate using the ‘NULL, NULL+FROM+DUAL-- ‘ syntax that we used in previous exercises.

Querying The Database Tables

Once we have verified that there are two columns and that both allow text, we can start querying the database for all table names. Instead of querying the ‘information.schema‘ table that we use in the previous lab, this time we have to query ‘all_tables‘. The syntax below will return all tables currently in the database. Please note that rendering directly through burp may not show all the tables. I had to switch back to the raw mode in order to find the user’s table.

GET /filter?category=Accessories'+UNION+SELECT+table_name,NULL+FROM+all_tables-- HTTP/1.1

SQL Injection - Querying The Database Tables — SQL Injection – Querying The Database Tables

Querying The Table Columns

Once we have the table name, in this case ‘USERS_GVOYYA‘, we can start querying the columns within that table. In order to do this, we need to use ‘all_tab_columns‘ and specify the table which we found using the previous command. As you can see from the screenshot below, this produces two results ‘PASSWORD_HPZDJL‘ and ‘USERNAME_SYDOYL‘.

GET /filter?category=Accessories'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_GVOYYA'-- HTTP/1.1

SQL Injection - Querying The Table Columns — SQL Injection – Querying The Table Columns

Querying The Colum Data

We now have everything we need to query the table directory and get it to dump its secrets. The screenshot below illustrates that it was possible to dump the contents of the ‘USERS_GVOYYA‘ including the username and password of the administrator users. Using this information we should be able to complete the lab.

GET /filter?category=Accessories'+UNION+SELECT+PASSWORD_HPZDJL,+USERNAME_SYDOYL+FROM+USERS_GVOYYA-- HTTP/1.

SQL Injection - Querying The Colum Data — SQL Injection – Querying The Colum Data

The SQL Injection

Then take results of the SQL injection and head over to the login page link at the top of the screen. Input your newly acquired username and password and you should solve the lab. Congratulations.

PortSwigger: SQL injection attack, listing the database contents on non-Oracle databases

Posted on May 15, 2022May 15, 2022 by Jonobi Musashi

Hello World, and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 7. This lab requires you to query the information schema to get the table name, and column names and then perform a UNION injection to get the administration username and password.

SQL injection attack, listing the database contents on non-Oracle databases

So as mentioned above, this lab requires some logical thinking when structuring your query. First, you need to query the information schema to find out what tables there are. Then you need to query it again to find out what columns are in a particular table. Finally, you have to modify your attack to query the specific table to return the contents of the specified columns.

The Application

Navigating to the application we can see it is laid out like the rest of them with the navigation menu at the top and the list of products underneath. In order to capture a request, we need to turn the intruder on in Burp Suite and click on the navigation URLs to capture it.

Querying The Database Tables

With the request captured, we can perform our standard column enumeration to determine how many columns there are and which columns contain text. Once we have identified that there are two columns that both contain text, we can query the ‘information_schema‘ table so that it returns the names of all other tables in the database.

'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--

Querying The Table Columns

Now that we know the names of the tables, we can identify which tables might be interesting. Looking at the results we can see that there is a table called ‘users_odzpcz‘. This table will likely contain some juicy user credentials but in order to proceed, we need to know what columns are in that table. The image below shows the result of the query where we’re asking for the column names.

'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_odzpcz'--

Querying The Colum Data

Now that we have the column names, we can query the table directly and ask it to dump the contents of the two columns ‘password_nawvpk‘ and ‘username_bzubfy‘. I found that it was important to put the column names in the order that they appeared in the previous query. Otherwise, I just received a server error.

'+UNION+SELECT+password_nawvpk,+username_bzubfy+FROM+users_odzpcz--

The SQL Injection

With the SQL injection complete, all we need to do is look through the data and locate the administrator username and password. Once we have that information, we can head to the login page and use the credentials to log in and complete the lab.

Hack This Site: Extended Basic – Mission 5

Posted on May 9, 2022May 9, 2022 by Jonobi Musashi

Dear Friend, welcome to HaXeZ where today we will be looking at the Hack This Site Extended Basic mission 5. This mission is another programming mission that requires you to review the contents of a PHP file and then subsequently a shell script that is used to edit the PHP file. There is an error in the shell script that prevents it from doing what it’s supposed to do. We need to fix it.

The Code

The image below shows the code that Sam has written. The introduction message advises that Sam created a function called safeeval to run commands. However, on the page, he neglected to use safeeval and use eval() instead. Furthermore, it explains that he wrote a shell script to go through the PHP file and replace all values of eval() with safeeval. Unfortunately, there is an error in the shell script that prevents the script from working.

The PHP Code

<?php
        include ('safe.inc.php');
        if ($access=="allowed") {
                eval($_GET['cmd']);
                if (!empty($_GET['cmd2'])) {
                        eval($_GET['cmd2']);
                }
        }
?>

The Shell Script

#!/bin/sh
rm OK
sed -E "s/eval/safeeval/" <exec.php >tmp && touch OK
if [ -f OK ]; then
        rm exec.php && mv tmp exec.php
fi

Hack This Site Extbasic 5 Code Breakdown

We don’t need to break down the PHP code as that is the code we’re trying to amend with the shell script. So let’s break the shell script down line by line.

First, as with all shell scripts, we get a comment to explain that it is in fact a shell script. Nothing out of the ordinary here.

!/bin/sh

Next, we have the ‘rm’ command which on Linux means to remove something and after a bit of research, it appears that it is the same on FreeBSD too. So this line is saying remove ok.

rm OK

The next line is using the sed (stream editor) command which appears to be what is substituting eval for safeeval. It is then passing the exec.php file to the sed command using a less than sign. After that, it appears to be taking the results of the sed command and appending them to ‘tmp’ and creating a file.

sed -E "s/eval/safeeval/" <exec.php >tmp && touch OK

Next, we appear to have some logic that checks if the command executed ok, and if it did it moves on to the next line.

if [ -f OK ]; then

Finally, the script removes exec.php and moves tmp to exec.php.

rm exec.php && mv tmp exec.php

Hack This Site Extbasic 5 Solution

The final line is the end of the if statement so we don’t need to explain that any further. Upon closer inspection and reading the Wikipedia page for sed it appears substitutions with sed requires 2 characters. First, it explains that in some cases you need to start the argument with -E. This is true on MacOS which is a variant of free BSD. We know Sam is using free BSD so the -E at the start of his sed statement is correct. However, we also need the characters s and g. The s character tells sed to substitute one word for the other (eval with safeeval). The g character tells it to do it globally. In short, Sam needs a g at the end of his sed statement to replace all instances of eval with safeeval. The correct syntax should be as follows.

sed -E "s/eval/safeeval/g" <exec.php >tmp && touch OK

Without the g, the script only replaces one instance of eval. The script has multiple instances of eval so the script files to complete its purpose. Fun challenge.

Hack This Site: Extended Basic – Mission 4

Posted on May 2, 2022May 9, 2022 by Jonobi Musashi

Dear Friend, welcome to HaXeZ where today we will be looking at the Hack This Site Extended Basic mission 4. This mission is another programming mission that requires you to examine the source code of an application to determine its output. Again, please be advised that I’m terrible at programming so my explanation might be terrible.

The Code

The image below shows the introduction message and explains that sometimes we may need to decipher a language. Furthermore, it explains that sometimes the language may not be on google or encrypted in some way.

Below that we can see there appears to be a user input of the numbers 6 and 7.

Hack This Site: Extended Basic – Mission 4

We then have a number of lines of code that appear to perform operations on the user-submitted values.

The Solution

As with Extended Basic 3, I’m going to attempt to break this down line by line and explain what is happening.

BEGIN F.ake

This appears to be the start of the program. I don’t think there is much more to it than that other than indicating the start of the program.

var int as in

What this appears to be doing is assigning whatever value the user has submitted to the variable var. The ‘in’ is the user input and var is the variable name. In this case, the value will be 6.

int var as in

This is similar to the line above and is assigning whatever the user submits to a variable called ‘int’. Again the ‘in’ part of the statement appears to be the user input prompt. In this case, the value will be 7.

out var int

Finally, the script is printing or echoing both the variables ‘var’ and ‘init’ to the screen meaning it should output 67.

Extended Basic – Mission 4 Conclusion

I can’t think of any other way to solve this or what any of the other parts of the code would be doing, other than what I have explained. I hope this has helped you solve the challenge. Feel free to check out parts 1 to 3 and drop by my youtube channel and subscribe.

Hack This Site: Extended Basic – Mission 3

Posted on April 24, 2022April 24, 2022 by Jonobi Musashi

Hello world and welcome back to HaXeZ, thank you for surfing by. This post is a walkthrough of the Hack This Site Extended Basic Mission 3. The purpose of this challenge is to deduce the function of a bespoke programming language’s application. A basic understanding of programming and assigning variables is required for this challenge. However, I’m terrible at programming and was still able to solve the challenge.

The Function

As mentioned above, the image below informs the user that the challenge creator has created a bespoke programming language. In order to solve the challenge, we need to walk through the application step by step and determine the output.

Therefore, I believe the best method of solving this challenge is to analyse each line individually and identify what it is doing.

The Solution

BEGIN notr.eal

Firstly, the application starts with ‘BEGIN notr.eal’. Granted, this appears fairly self-explanatory and denotes the start of the application.

CREATE int AS 2

Secondly, it appears as though the application is creating an integer with the value of 2. However, as with other programming languages, the position of ‘CREATE’ suggests it is more likely that the integer value of 2 is being assigned to the variable ‘CREATE’.

DESTROY int AS 0

Thirdly, the same can be said about the ‘DESTROY’ variable. This could easily be mistaken for a function of the program. However, since this function isn’t previously described in the program, I’m going to assume that an integer value of 0 is being added to the variable ‘DESTROY’.

ANS var AS Create + TO

Fourthly, it would appear that the value of the ‘create’ variable (currently 2) or ‘CREATE’ as previously written is being add to the ‘TO’ variable. I’m not too sure about this one but it resulted in the correct answer so my logic (however flawed) seems correct.

out TO

Finally, the value of the ‘TO’ variable is printed out to the screen. So in this instance the answer should be 2. If you submit that to the submission box then it should solve the challenge.

BEGIN notr.eal /* Starts the program CREATE int AS 2 /* Adds the integer 2 to variable 'CREATE' DESTROY int AS 0 /* Adds the integer 0 to variable 'DESTROY' ANS var AS Create + TO /* Appears to take the value of variable 'CREATE' and adds to varable 'TO' out TO /* Prints the value of 'TO'

Extended Basic Mission 3 – Conclusion

While my explanation might be incorrect, it resulted in the correct answer. Furthermore, I tried to solve the challenge in other ways but wasn’t able to. If we break the program down again and look at lines 2 and 3 we could infer that the program is simply creating an integer of 2 and then destroying it. If it destroys the integer then the value of the variable ‘TO’ would be 0 which is the wrong answer. I’ve also looked at whether ‘AS’ could be a variable but we end up with the same result of the value of the variable being destroyed and ending up with 0. There could be something else I’m missing and if you spot it then please let me know. Anyway this was a fun challenge, please check out my other posts in this series ExtBasic1 and ExtBasic2.

PortSwigger: SQL injection attack, querying the database type and version on MySQL and Microsoft

Posted on November 2, 2021May 3, 2022 by Jonobi Musashi

Hello, world wide web and welcome to HaXeZ where today we’re looking at PortSwigger Web Security Academy: SQL injection 6. This lab requires you to return the database type on MySQL with Microsoft. I’m not sure if that means, a MySQL database on Microsoft Windows or whether it means MySQL and MSSQL. Let’s find out.

SQL injection attack, querying the database type and version on MySQL and Microsoft

Looking at the lab somewhat clears up the requirements to solve it. It asks us to find a vulnerability in the product category filter. With this vulnerability, it wants us to perform a UNION attack to retrieve the database version string. It’s essentially the same as the last lab but this time we’re querying a different type of database.

The Application

Ah yes, the familiar application that we’ve come to know and love. It has a navigation menu at the top of the page containing various categories. Underneath, it has the products with a title of the product with bold font and a description with regular font. I like to make a point of explaining what type of font each column is using because it can affect the output of your SQL injection.

The SQL Version

In order to retrieve the SQL version, we first need to identify how many columns there are and how many of those columns use text. We have done this in previous labs so please refer to my write-ups on those if you haven’t done them. The syntax is slightly different with this type of database. Instead of commenting out the rest of the query using the double dash ‘–‘ We need to use the pound or hash sign ‘#‘. Once we know that, we can then move on to getting the version information.

GET /filter?category=Accessories'+UNION+SELECT+NULL,NULL# HTTP/1.1

The SQL Injection

Now that we know the number of columns, we can ask the database to return the version information into one of those columns. In order to do this, we need to ask for the ‘@@version‘ information. You can append the following SQL statement to the parameter and then forward it to the application.

GET /filter?category=Accessories'+UNION+SELECT+@@version,+NULL# HTTP/1.1

SQL Injection To Get Version Information

The results will then be displayed at the bottom of the page which in this case is version 8.0.27. This is a very handy technique if you wanted to identify the specific version of the database running. You could then use this information to look for vulnerabilities that impact that version.

PortSwigger Web Security Academy: SQL injection attack, querying the database type and version on Oracle

Posted on November 2, 2021May 3, 2022 by Jonobi Musashi

Hello friends and today HaXeZ is looking at the 5th SQL Injection lab on Portswigger Web Security Academy. This lab requires you to perform a UNION-based SQL injection to retrieve the database version string. We can use the same techniques that we have developed so far.

SQL injection attack, querying the database type and version on Oracle

So as stated above, we need to perform an SQL injection UNION-based attack to retrieve the version number of the database. It is specific to Oracle databases so the syntax may be different depending on which type of database you’re testing.

The Application

As with the previous labs, the application is fairly basic. It has a navigation menu at the top with a list of products underneath. It looks like we have two columns to play with this time. A title with the bold font, and a description, with the normal font. We can capture a request with Burp Suite and determine the precise structure using the NULL method that we have done previously. However, one caveat is that we need to use ‘FROM DUAL‘ when testing the number of columns.

SQL Version

We need to use ‘FROM DUAL‘ as it’s an Oracle database. There is lots more information out there (such as on Stack Overflow) on why this matters so I will let you go fourth and do your own research. Once we have determined that there is two columns, we can then determine which columns contain text (should be both of them in this lab).

GET /filter?category=Corporate+gifts'+UNION+SELECT+NULL,NULL+FROM+DUAL-- HTTP/1.1

The SQL Injection

Now that we know that both columns contain text, we can tell the database that we want the version of the database. We can choose which column we want the information injected in to, but we also need to supply the NULL value for the column we don’t use. As you can see from the code and the image below, I have opted to use the first column to return the information, and then used ‘NULL‘ for the second column. We then specify that we want the server ‘BANNER‘ from ‘v$version‘.

GET /filter?category=Corporate+gifts'+UNION+SELECT+BANNER,NULL+FROM+v$version-- HTTP/1.1

You can then append the query to your request and the results should be displayed in the applications response. Congratulations you have just solved this lab.

PortSwigger Web Security Academy: SQL injection 4

Posted on November 2, 2021April 25, 2022 by Jonobi Musashi

Hello friends and today HaXeZ is looking at the 4th SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the third lab. However, this time there is only one column that supports text. We will need to concatenate the results in order to complete the lab.

SQL injection UNION attack, retrieving multiple values in a single column

We’ve already completed the previous lab that required us to get data from another table. I’m going to skip the steps to determine the number of columns and which of those columns contain text. You will use the same methods used previously to determine this.

The Application

As you can see from the image below, the application follows the same design as the other ones. It has a navigation menu along the top and a list of products underneath. However, this time we only have the name of the products. Previously, we had a description that allowed us to retrieve both the username and password.

Concatenation

Once we’ve worked out how many columns there are, and how many of those columns contain text. It’s time to figure out how we’re going to get the contents from two columns into a single column. This is called concatenation and is particularly useful when you only have one column to work with. In order to do this, we need to intercept the request. After a bit of poking around with the repeater, we have deduced that there are two columns but only the second column allows text.

GET /filter?category=Accessories'+UNION+SELECT+NULL,'a'-- HTTP/1.1

So now we need to concatenate the values from the usernames and passwords columns in the user’s table. In order to do this, we can use the following characters ‘||'~'||‘. The double pipe and the tilde in single quotation marks will tell the database that we want to merge the data from the usernames and passwords column. The tilde acts as a delimiter character which allows us to see where the username ends and the password begins.

GET /filter?category=Accessories'+UNION+SELECT+NULL,username||'~'||password+FROM+users-- HTTP/1.1

The SQL Injection with Concatenation

So now that we have our syntax, we can append it to the request and forward it back to the application. Once the server processes the request, we should have the results of the SQL injection at the bottom of the page. The username and passwords will be separated with a tilde.

And that’s it. All you need to do now is to grab the administrator username and password and login to the application to complete the lab. The power of concatenation is awesome, I learned a lot from this lab.

PortSwigger Web Security Academy: SQL injection 3

Posted on November 2, 2021April 25, 2022 by Jonobi Musashi

Hello friends and today HaXeZ is looking at the 3rd SQL Injection lab on Portswigger Web Security Academy. This lab requires you to take the UNION-based injection performed in the second lab, and extend it. This time we’re going to retrieve the contents of the username and password columns from the user table.

SQL injection UNION attack, retrieving data from other tables

As I mentioned, this lab requires you to use the techniques we’ve learned so far and build on them to retrieve the username and password columns from the users table. As always, we have our green button to head to the lab.

The Application

The application follows the same theme that we have been seeing in other labs. Navigation menu along the top with a list of descriptions underneath. However, this time it seems like we may only have two columns. There is a title that is in bold font, and a description that is in regular font. We can intercept a request to one of the categories to find out. Head to Burp, turn on intercept and click one of the links.

Intercepted!

With the request intercepted, we can start to enumerate the structure of the database. For example, we can start by determining how many columns there are using ‘UNION SELECT NULL-- ‘ method. As you can see from the image below, it appears that there are two columns. We increased the number of ‘NULL‘ values in our injection until we stopped receiving a 500 error.

Next, we need to determine which columns are capable of handling text. We don’t want to try and dump our usernames and passwords into columns that can only display numbers. In order to do this, we replace the NULL value with a quoted string such as ‘test’. Since we only have two columns and both of the columns displayed text, it’s a safe bet to assume ‘UNION SELECT 'test','test'-- ‘ would work. In the picture below I have used ‘a’ because I’m lazy.

The Injection

So following the logic we have learned so far we should now be able to dump the contents of the usernames and passwords columns from the user’s table. The syntax is pretty simple especially if you’re already somewhat familiar with Structured Query Language. We replace the test values with the columns we want and then specify where those columns are. You may have to play around with the spacing, especially at the end.

'+UNION+SELECT+USERNAME,+PASSWORD+FROM+users--

That’s it, you can forward the request to the application which should solve the lab. When the final page renders, you should have the username and passwords at the bottom of the page.

Amendedment

Don’t forget to log in as the administrator or else you won’t solve the lab. Whoops.