0x06 Level 6: Student Center

In this exercise, you get to maintain a student list.
In this level, there are 6 vulnerabilities, falling into the following classes:
Reflected/Stored XSS
SQL Injection
CSRF
Have fun!
Note: Your changes are only persisted for your current session.

  • XSS
  • 存储型XSS
  • SQL
  • 国外好像比较喜欢用()

  • CSRF
  • 可以直接添加名单

    <form action="http://levels-b.hacker101.com/level6/post_add" method="POST">
    	<input type="text" name="firstname" value="CSRF"><br>
    	<input type="text" name="lastname" value="TEST"><br>
    	<input id="button" type="submit">
    </form>
    

    0x07 Level 7: Guardian

    In this exercise, you lack credentials.
    只有两个漏洞,终于能找全了 🙂
    In this level, there are 2 vulnerabilities, falling into the following classes:
    SQL Injection
    Reflected XSS

  • XSS
  • SQLI
  • 0x08 Level 8: Document Exchange

    In this exercise, you’re given the power of file uploads.

    In this level, there are 5 vulnerabilities, falling into the following classes:
    XSS
    Directory Traversal
    SQL Injection
    Code Execution
    In theory, you shouldn't be able to overwrite templates/code for the coursework, but that's not 100% so try not to do it, please!

    Have fun!

  • XSS
  • 修改MIME type为XSS payload

  • SQLI
  • https://levels-b.hacker101.com/level8/view/1281?download=True and 0

    0x03 Level 3: Breaker CMS
    In this exercise, you see a basic CMS interface. Administration is fun!
    Hint: Watch the JavaScript.

    看源码,六个漏洞,又出现了Unrelated Bonuses不懂什么意思
    In this level, there are 6 vulnerabilities, falling into the following classes:
    Various XSS
    Improper Authorization
    Unrelated Bonuses
    Have fun!

  • Improper Authorization
  • <script>
    	// We should only display the edit link to authenticated admins.
    	// http://i.imgur.com/WPaknth.jpg
    	var page = window.location.hash.substring(1);
    	if(page == '')
    		page = 'index';
    	var cookies = document.cookie.split(';');
    	for(var i in cookies) {
    		var cookie = cookies[i].replace(/ /g, '').split('=');
    		if(cookie[0] == 'admin' && cookie[1] == '1')
    			document.write('<a href="/levels/3/admin?page=' + page + '">Edit this page</a>');
    	}
    		</script>
    

    把cookie中的admin的值改为1就进入了admin界面,或者直接自己输网址

  • XSS
  • 上面的代码还有XSS漏洞,构造好url中#后面的值就可以触发

  • XSS-2
  • 后台文章修改处

    0x04 Level 4: Breaker News
    Here’s a news aggregator for your perusal. Have any good links to share with us?
    Hint: Just because you’re authorized doesn’t mean you should do it.

    有13个漏洞
    In this level, there are 13 vulnerabilities (some of them may present multiple times on a page!), falling into the following classes:
    XSS
    CSRF
    Unchecked Redirects
    Systemic Information Disclosures
    Improper Identity Handling
    Have fun!

  • XSS
  • CSRF 投票
  • CSRF 删除
  • CSRF 评论
  • 评论功能服务端出现了错误,但应该存在,原理都是一样的

  • URL跳转
  • https://levels-a.hacker101.com/levels/4/vote?change=1&type=Story&id=4862378378264576&from=https://www.google.com

  • XSS-2
  • 准确说上面url的每个参数都有相同的问题

    0x05 Level 5: Document Repository
    In this exercise, you get to read some books!

    多读点书
    In this level, there are 6 vulnerabilities, falling into the following classes:
    Directory Traversal
    Reflected XSS
    Command Injection
    Have fun!

  • 反射性XSS
  • 目录遍历
  • 命令注入
  • 运用反引号“将内容当作命令优先执行
    这里的文件内容查找应该是使用命令实现的,实际场景中意义不大

    还想再试试看能不能反弹shell

    0xff 简介
    国外知名漏洞平台HackerOne刚刚上线了一个在线web安全学习网站hacker101,课程比较基础,内容很全面。当然,我感兴趣的还是最后的9个课程作业 🙂

    0x00 Level 0: Breakerbank
    In this exercise, you’re presented with a bank account interface. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
    Hint: A logic flaw in the application will give you a sample report for one of the bugs, giving you a nice template to work from.

    先看一下源码,提示了我们共有4个漏洞
    In this level, there are 4 vulnerabilities, falling into the following classes:
    CSRF
    Reflected XSS
    Authorization Bypass/Direct Object Reference
    Have fun!

  • CSRF
  • 转账操作直接由html中的post请求提交,可以在本地构造请求

    <body onload="javascript:csrf()"></body>
    <script type="text/javascript">
    	function csrf(){
    		document.getElementById("button").click();
    	}
    </script>
    <form action="https://levels-a.hacker101.com/levels/0/" method="POST">
    	<input type="input" name="from" value="1">
    	<input type="input" name="to" value="588">
    	<input type="input" name="amount" value="1000000">
    	<input id="button" type="submit" value="Transfer" >
    </form>
    
  • 权限绕过
  • 表单中自己创建一个from字段,就可以自定义转账的发起人

    和CSRF结合起来的效果

  • 反射型XSS
  • 0x01 Level 1: Breakbook
    In this exercise, you’re presented with a simple social network. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
    Hint: Pay attention to the first message posted.

    去发现社交网络里的漏洞吧

    还是先看源码,还是四个漏洞
    In this level, there are 4 vulnerabilities, falling into the following classes:
    CSRF
    Stored XSS
    Forced Browsing
    Have fun!

  • 存储型XSS
  • 第一眼看上去就知道肯定会在输入框那里,不过又给出了说明html不被允许,但链接可以点击
    通过构造一个网址,会自动生成相应的

  • 枚举
  • 自己的留言链接为https://levels-a.hacker101.com/levels/1/post?id=247
    通过改变id的值可以看到别人的留言

  • CSRF
  • 我在做这一题时感觉有一点小问题,此题中有csrf token应该不存在csrf漏洞,但是生成token的算法过于简单–MD5(),可以轻松构造token所以依然存在csrf。不过,不管我把token换成谁的,只要是32位hash都显示是我自己发的,其他的则显示bad token无法发送。

    此处存疑,不知道是题目出错了,还是我思路有问题。

    0x02 Level 2: Breaker Profile

    In this exercise, you’re presented with a profile management and viewing interface. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
    Hint: Think about what we learned about special handling with respect to XSS.

    档案管理
    有整整七个漏洞
    In this level, there are 7 vulnerabilities, falling into the following classes:
    Stored XSS
    Reflected XSS
    Unrelated Bonus
    Have fun!

  • XSS-1
  • 头像处,加上.jpg后缀绕过图片检测

  • XSS-2
  • 字体颜色处,随意修改

  • XSS-3-反射型
  • 崩溃了…哪来7个漏洞,还有那什么Unrelated Bonus是什么意思??? 🙁

    0x00 起因
    在编写代理扫描器的时候http代理很容易实现,然而不少代理也只实现了http,但是我不能只做http明显这是不足的。但要对https进行代理,就相当于对本机进行可控的中间人攻击,需要信任自己生成的CA并且用该CA签名生成证书。

    0x01 生成CA
    一下命令使用openssl执行
    生成 CA 根密钥
    openssl genrsa -out ./cakey.pem 2048
    生成 CA 证书
    openssl req -new -x509 -days 3650 -key ./cakey.pem -out ./cacert.pem

    0x01 签发证书

    def create_ca(host):
        cert_file = "./cert/cacert.pem"
        key_file = "./cert/cakey.pem"
        with open(cert_file, "r") as my_cert_file:
            ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, my_cert_file.read())
    
        with open(key_file, "r") as my_key_file:
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, my_key_file.read())
    
        # create a key pair
        key = crypto.PKey()
        key.generate_key(crypto.TYPE_RSA, 2048)
    
        # create a self-signed cert
        cert = crypto.X509()
        cert.get_subject().C = "CN"
        cert.get_subject().ST = "JiangSu"
        cert.get_subject().L = "NanJing"
        cert.get_subject().O = "ProxyScan"
        cert.get_subject().OU = "ProxyScan CA"
        cert.get_subject().CN = host
        cert.set_serial_number(x509.random_serial_number())
        cert.gmtime_adj_notBefore(0)
        cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
    
        cert.set_issuer(ca_cert.get_subject())
        cert.set_pubkey(key)
        cert.sign(ca_key, "sha256")
    
        open("./cert/website/"+host.strip('*')+".cert.pem", "wt").write(
             crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode())
        open("./cert/website/"+host.strip('*')+".key.pem", "wt").write(
             crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode())
    

    需要注意的是在参考docs.genati.org时,有一处错误crypto.dump_certificate()和crypto.dump_privatekey()传入的参数应该是文件而不是路径

    此外sha1算法不足够安全需要使用sha256