發表文章

Recently Updated

SQLi - 無法解析 UNION 作業中 "Chinese_Taiwan_Stroke_CI_AI" 與"SQL_Latin1_General_CP1_CI_AS" 之間的定序衝突。

在嘗試SQLi for MSSQL的過程中,有時候會遇到無法解析定序衝突的問題: 無法解析 UNION 作業中 "Chinese_Taiwan_Stroke_CI_AI" 與"SQL_Latin1_General_CP1_CI_AS" 之間的定序衝突。 這是因為做UNION的兩個資料庫或資料表或欄位的定序不同,而使得SQL Query無從依循。 最簡單的解決方法便是在對應資料表的欄位上自行設定相同的定序! UNION ALL SELECT Field1 collate Chinese_Taiwan_Stroke_CI_AI, Field2 collate Chinese_Taiwan_Stroke_CI_AI, FROM TABLE Reference: 定序優先順序 https://docs.microsoft.com/zh-tw/sql/t-sql/statements/collation-precedence-transact-sql?view=sql-server-ver15

OWASP Security Shepherd Project - Session Management Challenge 7 (Session Management Challenge)

圖片
Challenge Solution      Challenge 7 is quite similar to Challenge 6, but there is no SQLi in Security Question.      I really don't think people could pass challenge this without cheating.      There are a lot of flowers in the world & the answer for root user is " Franklin Tree " which is not a common flower...      However, I think what people should learn here is to make sure your security question should be good enough!     For example, if the question here is "What is your favorite brand of mobile phone?" An attacker could definitely enumerate all the major brands in the world and use tool to try them all. (Ex: BurpSuite -> Intruder to import a list of brands.)     In addition, if in the question setting panel, the application prepares few answer for user to select, then the scenario will be even easier. (Ex: "What is your favorite brand of mobile phone?" -> Select the following "Apple", "HTC", "

OWASP Security Shepherd Project - Session Management Challenge 6 (Session Management Challenge)

圖片
Challenge Solution       First, try admin / admin -> There is no a user named as admin!     Try root / root -> User root exists! His/Her email address is  elitehacker@shepherd.com .      Click Have you forgotten your password? link and input the root user's email ->     We don't know the Security Question answers...     Input apostrophe(') or quote(") to see if there exists a SQLi -> There is a SQLi in email address field when using quote (")!      Input  " UNION Select database();# ->  BrokenAuthAndSessMangChalSix      Input  " UNION Select table_name FROM information_schema.tables WHERE table_schema = "BrokenAuthAndSessMangChalSix ->  Invalid Data Submitted: Invalid Email Address!      We notice that if the input is too long, then there will be a Invalid Data warning.      Input  " UNION Select username from secret;# ->  com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: SELECT co

OWASP Security Shepherd Project - Session Management Challenge 5 (Session Management Challenge)

圖片
Challenge Solution     First, login with admin / admin to see what will happens? -> Incorrect password for admin . We know the admin account do exists, but we don't know the password.      Let's try to click the Forgotten Password? button. Input admin as User Name ->  URL with embedded password reset token has been sent to 'admin' via email .       We don't have the email of admin user. Let's see the packet in BurpSuite. Request packet: Response packet:     Nothing special...     Let's check the source code scripts : //Change Password Form (Requires Valid Token) //Token life is 10 mins $("#leForm3").submit(function(){ var theUserName = $("#subUserName").val(); var theNewPassword = $("#subNewPass").val(); var theToken = $("#updatePasswordToken").val(); $("#resetSubmit").hide("fast"); $("#resetLoadingSign").show("slow"); $("#resultsDi

OWASP Security Shepherd Project - SQL Injection 4 (Injection Challenge)

圖片
Challenge Solution     The challenge ask us to login us administrator. As a first step, let's try admin /  'or'a'>'a';-- - in UserName / Password field -> No luck at this time.      After trying qoute (") and other payload I know, it seems that the application is not vulnerable.      Let's step back to think of the query itself, let's guess the query is [ SELECT * FROM users WHERE username=' UserName(our_input) ' AND password=' Password (our_input) ' ].      What if we use backslash (\) to escape the ending apostrophe (') for username to make the query become =>  [ WHERE username= '   \'   (the ending apos become normal char)  AND password= '   or 1=1 ;-- - ' ]      Cool! We have some progress now!      What we need to do next is to find a way to select administrator . Before extracting administrator, let's see why our ' or 1=1;-- - payload not works. Input admin' or 1=1\ to t

Setup a AltoroJ environment for Practicing Web Application Security (w/ Ubuntu18, JDK8, Tomcat7)

圖片
What is AltoroJ?     AltoroJ is a sample banking J2EE web application built by IBM AppSec team.     It shows what happens when web applications are written with consideration of app functionality but not app security.     It is open-sourced, so everyone could download it to learn security issues & get a flavor of how to build a penetration testing lab : )     AltoroJ uses standard Java & JSP as its programming languages and it doesn't rely on additional frameworks which make people easier to understand the program directly. AltoroJ currently, being used to demonstrate application security vulnerabilities, educate people on how easy some of these issues could be exploited and how severe the impact may be. *Github Project link: https://github.com/AppSecDev/AltoroJ/ *You could also enjoy the online version without suffering from installing the environment by http://altoromutual.com:8080/ . Steps to setup AltoroJ for our test environment & development: 1. Get

OWASP Security Shepherd Project - CSRF JSON (CSRF Challenge)

圖片
Challenge Solution      In this challenge, we need to send the userId in JSON format. By googling, there is a nice blog (Open Security Research) showing us how to make a JSON format payload via POST form.      We could still try by ourselves first. Try making the form as the followings: <form name="evilForm" action=" https://192.168.1.5/user/csrfchallengejson/plusplus" method="POST" enctype="text/plain">      <input type="hidden" name='{"userId":637e8d2e65542fe82fe6da3b0356bc0865b0b791}' />      <input type="submit"/>    </form> <script>document.evilForm.submit();</script>        We get an error message! Let's see what HTTP request do we send.     By the graph above, we know that we should find a way to eliminate the ' = ' at the end of payload. What if we make it as the followings: <form name="evilForm" action=" https://192.