網頁安全

Lab: Remote code execution via web shell upload 題目敘述 This lab contains a vulnerable image upload function. It doesn’t perform any validation on the files users upload before storing them on the server’s filesystem. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter ...

Lab: File path traversal, simple case 題目敘述 This lab contains a file path traversal vulnerability in the display of product images. To solve the lab, retrieve the contents of the /etc/passwd file. 題目解釋 圖片網址的地方可以任意讀檔，嘗試讀取 /etc/passwd。 解答 觀察一個圖片 https://ac801f311fe78ab8c0bf223f000500bf.web-security-academy.net/image?filename=11.jpg 修改 Filename https://ac801f311fe78ab8c0bf223f000500bf.web-security-academy.net/image?filename=../../../../../../../etc/passwd Lab: File path traversal, traversal sequences blocked with absolute path bypass 題目敘述 This lab contains a file path traversal vulnerability in the display of product images. The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory. ...

Lab: OS command injection, simple case 題目敘述 This lab contains an OS command injection vulnerability in the product stock checker. The application executes a shell command containing user-supplied product and store IDs, and returns the raw output from the command in its response. To solve the lab, execute the whoami command to determine the name of the current user. 題目解釋 要執行 whoami，弱點在 stock checker 解答 Post 設定參數 productId=1%20%26%26%20whoami&storeId=3 Lab: Blind OS command injection with time delays 題目敘述 This lab contains a blind OS command injection vulnerability in the feedback function. ...

Lab: SQL injection UNION attack, determining the number of columns returned by the query 題目敘述 This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack. To solve the lab, determine the number of columns returned by the query by performing an SQL injection UNION attack that returns an additional row containing null values. ...