We’ll get started at 1[68]:05

more server-side

6[84]43 week5

House cleaning

Report groups

If you aren’t in a group please let me know

Midterm

How’d you all find it (trivial enough?)

Injection

  • Bash Injection
  • SSTI
  • PHP Injection

bash injection

  • If you’re ever using os.system() (or similar) to call shell functions containing user input
    • first of all, probably don’t
    • second of all, it’s kinda vulnerable

Demo

SSTI (Server-side template injection)

  • Templating engines (eg. Jinja2, Pug) use templates to inject code and variables into static files

  • Jinja2: {{<CODE HERE>}} e.g. {{7*7}} => 49

  • what if we tricked the template rendering into thinking our user-supplied content was code?

Demo

Basic PHP injection

  • PHP is a very different language to most
  • It’s kinda like a html server (where the file path is the url path)
  • This means if you add a new .php file somewhere, and navigate there, it’ll execute

Demo

Helpful stuff

  • reverse shells
  • hosting content (ngrok, requestbin)

reverse shells

  • Sometimes you can get command injection, but it’s really tedious
  • wouldn’t it be easier if you could just get send your commands directly via terminal?

checkout explainshell and revshells

Demo

How to host content

  • python3 -m http.server + NGROK
  • localtunnel
  • RequestBin
  • GitHub pages (needs to build everytime though so it’s slow)

Demo?

File-based vulnerabilities

  • File disclosure (e.g. XXE)
  • Local file inclusion (e.g. PHP)
  • File uploads

File disclosure

somehow include a page

  • ?page=index.html (what about ?page=../../../etc/passwd)
  • image upload https://a.com/catpicture.png (what about file:///etc/passwd)
  • error messages

XML (Extended Markup Language)

  • a data format kinda like json, that looks like HTML
<users>
    <user id="1">
        <username>melon</username>
        <password>Hunter2</password>
    </user>
    <user id="2">
        <username>admin</username>
        <password>admin</password>
    </user>
</users>

XXE (XML External Entities)

  • DTD - Document Type Definition
  • Internal Entity: an entity declared within the DTD (like a variable)
  • External Entity: an entity declared outside the DTD (files, stuff on other websites)

Internal entities

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY string "hey, don't read my diary" >
]>
<diary>
  <entry>&string;</entry>
</diary>

 

prints

hey, don't read my diary

External entities

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY funCatFact "https://FunCatFact.com/generate" >
]>
<diary>
  <entry>&funCatFact;</entry>
</diary>

 

prints

Cats are asleep for 70% of their lives.

SSI

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY flag SYSTEM "file:///flag.txt" >
]>
<diary>
  <entry>&flag;</entry>
</diary>

 

prints

COMP6443{....}

Parameterised entities

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY % difficulty "trivial" >
  <!ENTITY % meme "web apps is %difficulty;" >
]>
<diary>
  <entry>%meme;</entry>
</diary>

 

prints

web apps is trivial

Local file inclusion

PHP has this reaelly funny include() function

  • Think of it like importing another page
  • Strangely, it can do a lot more than that

Demo

Now do some challenges

What you all came for lol