Home
Cmdi
XSS
Sqli
Web Service
JWT
Other
Redis
Default command : ping
Vulnerability sample : ;cat /etc/passwd
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.
This application use GET method to send the form and just display the text message you enter. Therefore, XSS are reflected.
<img src="../../external/uploads/default_avatar.png" height=100>
This form is the same as the previous except for the method. Here the form is sent with the POST method.
By default on this application, you will see only message created by the connected user. You have the availability to display all messages from the action list (and run other users payload), delete all messages or a specific message.
The XSS payload is stored in the database. The XSS is permanent until the database is reset or the payload is manually deleted.
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Default behavior : show firstname & surname based on ID.
This application list films with information from a search field. The search is dynamic with ajax request (xhr) to update automatically the result. The search input is only based on javascript and there is no “form” tag. In the database, there is some hidden field. Try to retrieve theses information.
By using this application, you can create new user using XML Web Service. Filling the form, you can only fill username, password and email. By default, you can only create a user with “user” role.
Try to create a new user with “admin” role.
This page is similar as the previous one but you can only retrieve user information. There is some example from the list or you can use a custom request and look at the result.
This application use WebService with REST / JSON.
From the search field, you can look for a wine catalog and access to wine details.
You are able to search, add, delete, and update wine information.
There is several SQL injection available (update information from one wine id to another one, etc.)
You can generate SQLi from the form field or by modifying hidden fields.
Swagger file in json format can be downloaded from: /WS/REST/dawa_rest_api.json
One account is defined on this challenge (jwt_user / password).
Once logged, a JWT token is generated.
The challenge is to forged a new token with the good secret. To help secret is 1234567890
List of all available account:
Go on this page : .?page=admin/admin.php