Advanced Web Attacks and Exploitation

Syllabus of the OSWE course:

Table of Contents:

0. Introduction
0.1 About the AWAE Course
0.2 Our Approach
0.3 Obtaining Support
0.4 Legal
0.5 Offensive Security AWAE Labs
0.5.1 General Information
0.5.2 Lab Restrictions
0.5.3 Forewarning and Lab Behaviour
0.5.4 Control Panel
0.6 Backups

1. Tools & Methodologies
1.1 Web Traffic Inspection
1.1.1 BurpSuite Proxy
1.1.2 BurpSuite Scope
1.1.3 BurpSuite Repeater and Comparer
1.1.4 BurpSuite Decoder
1.2 Interacting with Web Listeners with Python
1.3 Source Code Recovery
1.3.1 Managed .NET Code
1.3.2 Decompiling Java classes
1.3.3 Source Code Analysis

2. Atmail Mail Server Appliance: from XSS to RCE
2.1 Overview
2.2 Getting Started
2.3 Atmail Vulnerability Discovery
2.4 Session Hijacking
2.5 Session Riding
2.5.1 The Attack
2.5.2 Minimizing the Request
2.5.3 Developing the Session Riding JavaScript Payload
2.6 Gaining Remote Code Execution
2.6.1 Overview
2.6.2 Vulnerability Description
2.6.3 The addattachmentAction Vulnerability Analysis
2.6.4 The globalsaveAction Vulnerability Analysis
2.6.5 addattachmentAction Vulnerability Trigger
2.7 Summary

3. ATutor Authentication Bypass and RCE
3.1 Overview
3.2 Getting Started
3.2.1 Setting Up the Environment
3.3 Initial Vulnerability Discovery
3.4 A Brief Review of Blind SQL Injections
3.5 Digging Deeper
3.5.1 When $addslashes Are Not
3.5.2 Improper Use of Parameterization
3.6 Data Exfiltration
3.6.1 Comparing HTML Responses
3.6.2 MySQL Version Extraction
3.7 Subverting the ATutor Authentication
3.8 Authentication Gone Bad
3.9 Bypassing File Upload Restrictions
3.10 Gaining Remote Code Execution
3.10.1 Escaping the Jail
3.10.2 Disclosing the Web Root
3.10.3 Finding Writable Directories
3.10.4 Bypassing File Extension Filter
3.11 Summary

4. ATutor LMS Type Juggling Vulnerability
4.1 Overview
4.2 Getting Started
4.3 PHP Loose and Strict Comparisons
4.4 PHP String Conversion to Numbers
4.5 Vulnerability Discovery
4.6 Attacking the Loose Comparison
4.6.1 Magic Hashes
4.6.2 ATutor and the Magic E-Mail address
4.7 Summary

5. ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE
5.1 Overview
5.2 Getting Started
5.3 Vulnerability Discovery
5.3.1 Servlet Mappings
5.3.2 Source Code Recovery
5.3.3 Analyzing the Source Code
5.3.4 Enabling Database Logging
5.3.5 Triggering the Vulnerability
5.4 Bypassing Character Restrictions
5.4.1 Using CHR and String Concatenation
5.4.2 It Makes Lexical Sense
5.5 Blind Bats
5.6 Accessing the File System
5.6.1 Reverse Shell Via Copy To
5.7 PostgreSQL Extensions
5.7.1 Build Environment
5.7.2 Testing the Extension
5.7.3 Loading the Extension from a Remote Location
5.8 UDF Reverse Shell
5.9 More Shells!!!
5.9.1 PostgreSQL Large Objects
5.9.2 Large Object Reverse Shell
5.10 Summary

6. Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability
6.1 Overview
6.2 Getting Started
6.3 The Bassmaster Plugin
6.4 Vulnerability Discovery
6.5 Triggering the Vulnerability
6.6 Obtaining a Reverse Shell
6.7 Summary

7. DotNetNuke Cookie Deserialization RCE
7.1 Overview
7.2 Getting Started
7.3 Introduction
7.4 Serialization Basics
7.4.1 XmlSerializer Limitations
7.4.2 Basic XmlSerializer Example
7.4.3 Expanded XmlSerializer Example
7.4.4 Watch your Type dude
7.5 DotNetNuke Vulnerability Analysis
7.5.1 Vulnerability Overview
7.5.2 Debugging DotNetNuke
7.5.3 How Did We Get Here
7.6 Payload Options
7.6.1 FileSystemUtils PullFile Method
7.6.2 ObjectDataProvider Class
7.6.3 Example Use of the ObjectDataProvider Instance
7.6.4 Serialization of the ObjectDataProvider
7.6.5 Enter The Dragon (ExpandedWrapper Class)
7.7 Putting It All Together
7.8 ysoserial.net
7.9 Summary

8. ERPNext Authentication Bypass and Server Side Template Injection
8.1 Getting Started
8.1.1 Configuring the SMTP Server
8.1.2 Configuring Remote Debugging
8.1.3 Configuring MariaDB Query Logging
8.2 Introduction to MVC, Metadata-Driven, and HTTP Routing
8.2.1 Model-View-Controller Introduction
8.2.2 Metadata-driven Design Patterns
8.2.3 HTTP Routing in Frappe
8.3 Authentication Bypass Discovery
8.3.1 Discovering the SQL Injection
8.4 Authentication Bypass Exploitation
8.4.1 Obtaining Admin User Information
8.4.2 Resetting the Admin Password
8.5 SSTI Vulnerability Discovery
8.5.1 Introduction to Templating Engines
8.5.2 Discovering The Rendering Function
8.5.3 SSTI Vulnerability Filter Evasion
8.6 SSTI Vulnerability Exploitation
8.6.1 Finding a Method for Remote Command Execution
8.6.2 Gaining Remote Command Execution
8.7 Wrapping Up

9. openCRX Authentication Bypass and Remote Code Execution
9.1 Getting Started
9.2 Password Reset Vulnerability Discovery
9.2.1 When Random Isnt
9.2.2 Account Determination
9.2.3 Timing the Reset Request
9.2.4 Generate Token List
9.2.5 Automating Resets
9.3 XML External Entity Vulnerability Discovery
9.3.1 Introduction to XML
9.3.2 XML Parsing
9.3.3 XML Entities
9.3.4 Understanding XML External Entity Processing Vulnerabilities
9.3.5 Finding the Attack Vector
9.3.6 CDATA
9.3.7 Updating the XXE Exploit
9.3.8 Gaining Remote Access to HSQLDB
9.3.9 Java Language Routines
9.4 Remote Code Execution
9.4.1 Finding the Write Location
9.4.2 Writing Web Shells
9.5 Wrapping Up

10. openITCOCKPIT XSS and OS Command Injection - Blackbox
10.1 Getting Started
10.2 Black Box Testing in openITCOCKPIT
10.3 Application Discovery
10.3.1 Building a Sitemap
10.3.2 Targeted Discovery
10.4 Intro To DOM-based XSS
10.5 XSS Hunting
10.6 Advanced XSS Exploitation
10.6.1 What We Can and Cant Do
10.6.2 Writing to DOM
10.6.3 Creating the Database
10.6.4 Creating the API
10.6.5 Scraping Content
10.6.6 Dumping the Contents
10.7 RCE Hunting
10.7.1 Discovery
10.7.2 Reading and Understanding the JavaScript
10.7.3 Interacting With the WebSocket Server
10.7.4 Building a Client
10.7.5 Attempting to Inject Commands
10.7.6 Digging Deeper
10.8 Wrapping Up

11. Conclusion
11.1 The Journey So Far
11.2 Exercises and Extra Miles
11.3 The Road Goes Ever On
11.4 Wrapping Up
