Skip to content

Latest commit

 

History

History
57 lines (56 loc) · 4.31 KB

README.org

File metadata and controls

57 lines (56 loc) · 4.31 KB

yavw

  • Yet another vulnerable webserver (to teach XSS/SQLi/command injection).
  • Nils Ole Tippenhauer, SUTD, 2017
  • Written using Python3, flask, and sqlite3 library
  • Relatively small code base should allow students to understand what is going on, and possibly fix vulnerabilities
  • Most vulnerabilities had to be manually enabled, as flask prevents them by default.
  • Not much error handling, running in debug mode to allow students to see where things break
  • Disclaimer: you should never make this server accessible to anyone except localhost. Even then, be aware it allows arbitrary command injection.
  • The following are example questions I give my students in our exercise

Part 1: SQL Injection

  • We distribute a yavw.py server script, run it with python3 locally to test out your exploits
  • After starting the server locally, go to http://localhost:5000 to be greeted by a login page. Alice’s email is [email protected], but what is the password?
  • Based on the example attacks from the class, find a way to log in as Alice!

Part 2: Cross-Site Scripting

  • Note: restarting the webserver will refresh the SQL database

Persistent attack

  • Log in as Alice again, and check the different options the website gives you. Can you use one of them to conduct a persistent XSS attack?
    • Your goal is to inject some code on a page that the admin user will look at
    • Your injected code (HTML or .js) should make the admin disclose his cookie to you
    • In particular, assume that the admin sees a list of all news when he logs in
  • Find a way to inject a simple XSS string into the database
  • Exploit this to obtain the session cookie of the victim! By using that session ID, you could take over an existing session the victim has with the website
    • Update your XSS to trick the admin’s browser to do an HTTP GET to a URL of the attacker’s choice
    • Make the admin visit http://localhost:5000/news?text=<adminsession>
    • This will create a public news entry with the admin’s session
  • After injecting your XSS string, login as admin user to test that the injection works. Use the second password from the secrets file
    • Logout after displaying the main site, login as alice again (using the password, or the SQL injection)
    • You should now be able to see the news item!

Non-persistent attack

  • Look for a way to temporarily inject code via a specifically crafted URL
  • Exploit this to obtain the session of the victim (again)
    • Lets assume the admin is logged into the site when clicking on the link
    • Clicking the link should make the admin visit the localhost webserver with a specific URL, which then causes admin’s browser to issue a HTTP GET to http://localhost:5000/news?text=<adminsession>
    • Craft the URL, login as admin user, then visit the XSS URL you designed
    • Admin’s session should again be leaked as news item
    • Note: it might seem a bit redundant to do a non-persistent XSS attack to make the attacker visit the news URL. Try putting the javascript exploit code into a simple html file, and visit it with your browser. Does it still work, without being injected into the page? why not?
  • We had to manually enable XSS attacks in our templates, can you spot where? Can you fix all XSS vulnerabilities you found?

Part 3: Command Injection

Listing secret file

  • This time, we will not inject any JavaScript.
  • Find a way to execute a shell command on the server by using one of the provided input fields
  • Can you exploit this vulnerability to get the content of a local file, e.g. list the file “secret”?

Opening a reverse shell

  • This time, we will try to get a local shell on the target server!
  • A “reverse shell” is a program started on the victim machine, that connects to the attacker (to pass through firewalls and similar).
  • We need two parts for this: a program waiting on your machine to accept incoming connections
    • Use something similar to nc -l -p 8080 -vvv on your machine to open a listener waiting on port 8080
    • When the victim connects, you should be able to type commands, which will be executed on the victim’s machine
  • We also need a suitable command to run on the webserver (in this case, also localhost) to connect a shell to your machine
  • Inject that command similar to your previous command - Easy!?