Theme Layout

Boxed or Wide or Framed

Wide

Theme Translation

Display Featured Slider

Featured Slider Styles

Display Grid Slider

yes

Grid Slider Styles

Display Trending Posts

Display Author Bio

Display Instagram Footer

off

Dark or Light Style

Light
Powered by Blogger.
Navigation Menu

All rights reserved
komorebi 2016

Friday, December 30, 2016

[low] HTML Injection - Reflected ( URL )

5:46:00 PM
to Read (
Words)

# Introduction

BWAPP → Low→ HTML Injection - Reflected (URL)

# Training

: It is a server-side script that represents the current URL. 


 I used a proxy tool to manipulate the host to be sent to the server.


The results are as follows.






QuickEdit
Unknown
0 Comments
Share This Post :

[High] HTML Injection - Stored (Blog)

4:59:00 PM
to Read (
Words)

# Introduction

BWAPP → High → HTML Injection - Stored (blog)


# Training

: I put the value I used in the low step, As a result, output is as follows.



I check at /var/www/bWAPP/htmli_stored.php to see how it works.



I check functions_external.php to see the xss_check_3 function.


The htmlspecialchars function has been mentioned previously, so it is omitted.






QuickEdit
Unknown
0 Comments
Share This Post :

Monday, December 26, 2016

[low] HTML Injection - Stored (Blog)

5:59:00 PM
to Read (
Words)

# Introduction

BWAPP → Low→ HTML Injection - Stored (blog)



# Training

: The ''htmli_stored.php'' page is a  blog format.


Therefore, It is possible to save HTML tags so that the administrator can output unintended contents. Or When type in the text field on the blog and click [Go], Transfer the input and move to another page. 

The contents of the exercise are as follows.
 : Moving from htmli_stored.php to htmli_post.php using a text field.

First, copy the page format from htmli_post.php to use the htmli_post.php page format.



When fetching page formates, It's easy to import using the web developer tools in browser.


Put this code in the textfield and click [submint] to add it.




When user enter data in both fields and press [Go], the user moves to the page.




QuickEdit
Unknown
0 Comments
Share This Post :

[Pwnable.kr/Toddler's bottle] cmd2 ( Solved. 16.12.26 )

11:40:00 AM
to Read (
Words)

# Problem

: I think this problem is similar to cmd1. The problem is as follows.

 '' Daddy bought me a system command shell. But he put some filters to prevent me from  playing with it without his permission... but I wanna play anytime I want!''
 


# How To solve

 : First, connect the server cmd2@pwnable.kr -p2222 (pw : flag of cmd1 )
 then, check the program source code. 


When I look at the source code, I can see that it filters out some characters. I decided to use the environment variable I used in cmd1. I also decided to use the following attributes to use the / character.


The first code I think is:  
./cmd2 '$(echo /)bin$(echo /)cat flag 
However, I change the ascii code for the /, which is filtered here.
./cmd2 '$(echo "\57")bin$(echo "\57")cat flag
And the character "flag" was changed using an environment variable.
The result is as follows.


QuickEdit
Unknown
0 Comments
Share This Post :

[Pwnable.kr/Toddler's bottle] mistake ( Solved. 16.12.26)

10:14:00 AM
to Read (
Words)

# Problem

 : This problem is about operator priority. 


# How To Solve.

 : First, connect the server ssh mistake@pwnabler.kr -p2222 and check the program source code. 


The problem is the 17th line. A problem arises because comparison operators have higher precedence than arithmetic operators.
First, open("/home/mistake/password",0_RDONLY,0400) <0 is computed, This operation takes the form of a  positive number<0. Therefore, It becomes False and returns 0. Fd=0 is equal to stdio. The first input value is put into pw_buf, the second input value is put into pw_buf2. and compare the xor operation value of pw_buf2 with the value of pw_buf to see the flag if it is the same.


QuickEdit
Unknown
0 Comments
Share This Post :

Friday, December 23, 2016

[High] HTML Injection - Reflected (POST)

11:00:00 AM
to Read (
Words)

# Introduction

 :BWAPP → High → HTML Injection - reflected (POST)



# Training

 : At the high level, It use the function used in the previous level and htmlspecialchars function. So, Encode the characters used in the tag with UTF-8 so that they are not recognized as HTML Tag.


QuickEdit
Unknown
0 Comments
Share This Post :

[Medium] HTML Injection - Reflected (POST)

10:33:00 AM
to Read (
Words)

# Introduction

 :BWAPP → Medium→ HTML Injection - reflected (POST)


# Training

 :As before, I did the exercises without reference to the source code. When I input the value used in the previous step, It will be output as plain text as follows.


So, I checked the input values to the server using the buff suite.


I found that the value passed to the server is encoded( <, > encoded to %3C, %3E).If I input this values, I thought that the specific function of html_post.php encode it once and pass it to the server. If I visualize what I think, it is as follows.


When I input the value, It was passed to the server as follows.


When I forward values, I could use the html tags.



QuickEdit
Unknown
0 Comments
Share This Post :

[low] HTML Injection - Reflected (POST)

9:38:00 AM
to Read (
Words)

# Introduction

 :BWAPP → Low→ HTML Injection - reflected (POST)


# Training

 : htmli_post.php uses POST Method to transfer data. So, Variable values sent to the server are not exposed to the URL. You can check the '/var/www/bWAPP/htmli_post.php' for practice, but I used a proxy tool(Burp suite).

First, When I enter a value into a variable, I confirmed that the output is the same as html_get.php. 


One difference is that the variable values are not exposed to the URL, as described above.

I set the proxy settings and modified the variable values using the buff suite.


The modified values are the same as the html tags used in html_get.php



QuickEdit
Unknown
0 Comments
Share This Post :

Thursday, December 22, 2016

[High] HTML Injection - Reflected (GET)

7:29:00 PM
to Read (
Words)

# Introduction

:BWAPP → Medium→ HTML Injection - reflected (GET)


# Training

: At this level, all of the previous level values are output as plain text as shown below.

<Input value is equal to low level>

<Input value is equal to medium level>

 I checked the source code as well as the medium level. First, I checked the source code of htmli_get.php. At the htmli_get.php, I found that using the xss_check_3 function at high level.


Next, At the Functions_external.php, I could see what this function is.


I found that the htmlspecialchars function bypass the input value. This function is a basic function provided by php. It returns special characters used in HTML as UTF-8.
 So, If you want to prevent HTML injections, you can use this function to make the characters used in HTML tags recognizes as text.
QuickEdit
Unknown
4 Comments
Share This Post :

[medium] HTML Injection - Reflected (GET)

6:56:00 PM
to Read (
Words)

# Introduction.

BWAPP → Medium→ HTML Injection - reflected (GET)



# Training

: If we enter the input value in the middle step like the low step, the output is as follows.

















I wondered why this is so I checked the source code. The source code is located in /var/www/bWAPP. The contents of the source code are as follows.


I could see that the function xss_check_1 is used at the medium level. The xss_check_1 could be found in functions_external.php.


I could see that < & > convert to another character. Therefore, I typed URL encoding of the character used in the tag. 
  • %3Ch1%3ESuccess%3C%2Fh1%3E
  • %3Cimg src=http://192.168.10.119/bWAPP/images/bee_1.png%3E


The results were as follows.



QuickEdit
Unknown
0 Comments
Share This Post :

HTML Injection - Reflected (GET)

2:32:00 PM
to Read (
Words)

# Introduction.

 : BWAPP → Low → HTML Injection - reflected (GET) 

# Training.

 This 'html_get.php' is a page that prints the user's input value as follows.


And If you check the URL, you can see that the input value and variable name are exposed in the URL. Because it is the GET method.



In order to test the input items, I inserted HTML tags in the First name and Last name.
  • <h1> Success</h1>
  • <img src=http://192.168.10.119/bWAPP/images/bee_1.png>

The input result is as follows.






QuickEdit
Unknown
0 Comments
Share This Post :

What is "HTML Injection"

1:56:00 PM
to Read (
Words)

# HTML Injection

: HTML Injection is a subclass of code injection attack. An attack that inserts malicious HTML Code into vulnerable parameters. Using this, the attacker inserts the HTML Tag on the page that the user requested to link and connects to the unintended content or the malicious site. 


# Reflection technique.

: It is an attack that inserts a malicious HTML tag in the URL and causes the HTML tag to be executed on the user's PC Who clicked the link. ( In particular, when data is transmitted by the GET Method, the variable name & input value are exposed in the URL.


# Storage technique.

: It is an attack that causes malicious HTML tag to be stored in DB so that the HTML Tags are executed on the PC of the users who has confirmed the stored tags. If attacker upload a malicious HTML tag to a public domain, attacker can attack multiple users.

QuickEdit
Unknown
0 Comments
Share This Post :

Beebox Posting List

1:21:00 PM
to Read (
Words)
This page is about the Beebox posting list document.
The purpose is to find the information I want more easily. There is no content that is not practiced directly. 




# Concept


# Training ( low )


# Training ( Medium )


# Training ( High )

QuickEdit
Unknown
4 Comments
Share This Post :

Tuesday, December 20, 2016

Basic Stack Corruption (Stack Buffer Overflow)

4:25:00 PM
to Read (
Words)

# Basic Stack Corruption.

 : Buffer Overflow refers to a vulnerability that overwrites contiguous memory when more data is inserted than the allocated buffer. The vulnerability occurs because the string processing function doesn't check the length of the input value. (ex. strcpy ) 

The following program was used for the basic stack corruption at Ubuntu Linux 14.04.


The goal is to execute the vuln() function using the vulnerability of strcpy.
Since this version of Ubuntu uses various memory protection techniques, we have compiled it with the following options:

gcc -fno-stack-protector -mpreferred-stack-boundary=2 -o bof bof.c

After compiling, we can look at using gdb as follows.


The contents of attack based on the above contents are as follows.

Now find the address of vuln() needed to create the payload using GDB.

Since we find the address of vuln(), now we can complete the payload.

I overwrite buffer[30]&SFP with the letter "A", and modulated the RET address with the address of vuln(). So, After the main function was terminated, the vuln function is executed and a root privileged shell is executed.

QuickEdit
Unknown
0 Comments
Share This Post :

Thursday, December 15, 2016

[Pwnable.kr/Toddler's Bottle] ShellShock ( Solved. 16.12.15 )

12:17:00 PM
to Read (
Words)

# Problem.

 : This problem is about shell shock vulnerability. This vulnerability has been  categorized as CVE-2014-6271. The contents of CVE are as follows.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. -- CVE site


# How To solve.

 : The bash shell can define functions with environment variables. After the function definition is completed, an additional command is executed to execute the command.


QuickEdit
Unknown
0 Comments
Share This Post :
Subscribe to: Posts (Atom)

Follow @SunriseSunsetBlog