๐๏ธWeb - Server
Note : A JOURNEY TO GAIN KNOWLEDGE
Web - Server
F12 for flag
Syntax: X-Forwarded-For: <client>,<proxy1>,<proxy2>,<proxy3>
Change IP at client to private IP by adding an X-Forwarded-For header
It combines URL and hash md5 of that one, so that we just put other URL and hash of it.
4.HTTP - User-agent
change User-Agent to `admin`
5.Weak password
6.PHP - Command injection
7.Backup file
Use dirsearch find some interesting files:
/web-serveur/ch11/index.php~
8.HTTP - Directory indexing
http://challenge01.root-me.org/web-serveur/ch4/admin/backup/admin.txt
9.HTTP - Headers
With normal request we will get:
add Header to request:
Header-RootMe-Admin: True
10.HTTP - POST
11.HTTP - Improper redirect
Capture before it redirect
12.HTTP - Verb tampering
Ban ฤแบงu tฦฐแปng bruteforce ngแปi xร i hydra vร cรกi rockyou.txt ra spam cแบฃ tiแบฟng
temper แป ฤรขy lร chแป cแบงn ฤแปi method khรกc ngoร i GET vร POST lร ฤฦฐแปฃc, cแปฉ PUT vแปi DELETE mร phang
13.File upload - Double extensions
set file.php.png and send to the server
14.File upload - MIME type
Change Content-Type to image/png and rce
15.HTTP - Cookies
change cookie from visiteur
to admin
16.JSON Web Token (JWT) - Introduction
"none" signature algorithms
17.Directory traversal
Try with ../ and fuzz
18.JSON Web Token (JWT) - Weak secret
bruteforce secret key: lol
POST and look for the flag hm....
19.File upload - Null byte
create: file.php%0a.png
20.Install files
use dirsearch: /web-serveur/ch6/phpbb/install
21. JWT - Revoked token
source
Use python request to post data:
The problem that we have to bypass blacklist because with each access_token it will be added to blacklist:
with rfc3548 we can see that the character out of alphabet will be skipped
underscore โ_โ , then replace with โ/โ
add == in the end of jwt -> fast way to understand
22. CRLF
Input -> fuzz
Thแปญ nhแบญp bแปซa username vร passoword ta thแบฅy rรต log ghi lแบกi username -> tแบฅn cรดng tแปซ ฤรขy
Mแปฅc tiรชu lร cรณ thแป log lแบกiadminauthenticated.
gแปญi payload trรชn url vร urlencode ฤแป server decode lแบกi
23. Insecure Code Management
24.PHP - assert()
Detect lแปi File Inclusion -> LFI via PHP's 'assert
Khแบฃ nghi:
command:
Last updated