Recently, I saw an article about OWASP juice shop, which was very interesting. After I started, I realized that it was a great loophole shooting range. So I introduced this environment to you. The loophole shooting range was developed by OWASP, including 10 loopholes of OWASP, with a total of 47 passes, with different difficulties. I will introduce the whole vulnerability shooting range from environment building.
0x02 build
Justice shop is an open source project. The source code can be obtained from GitHub (https://github.com/bkimminich/justice-shop). The most convenient is to use docker to install it. My environment is Ubuntu + docker.
1. Install a Ubuntu in the virtual machine (I use Ubuntu 16.04 64 bit) to install Baidu by myself. 2. Install docker for Ubuntu
0x03 play
First pass:
I have to say that the juice shop is not friendly to beginners. There is no reminder on the page, and I really don't know how to start. First, check the source code of the home page and find & lt; a href = & quote; ා / score board & quote; & gt; score Board & lt; / A & gt;. There is a page # / score board. You can see the requirements of all levels when visiting.
Second, error handling
The first idea is to test at the login. At the login position, try whether the special characters can report SQL errors. The results are as follows. The error information can see the SQL statement of login verification. Here is closed with single quotation mark, so the error report here is caused by single quotation mark. Remember that the SQL statements here are useful for subsequent construction of universal passwords. (there are four places where error reporting can occur. Interested children's shoes can find out where there is error reporting.)
Level 3: XSS tier 1
Ask & lt; script & gt; alert & quot; xss1 & quot;) & lt; / script & gt; to construct a reflective XSS. It's a cross station. The first idea is a search box. It's directly pasted into the pop-up box between discoveries. You don't need to change the sentence.
Ask to delete a 5-star comment. When I first saw this question, I was still quite confused. Where should I delete it? In fact, I have to finish the sixth and eighth levels before I can finish this question. So finish this before you do it
Fifth: confidential document
Access to confidential documents is required. The original idea of this question is to scan with the imperial sword to see if there is any directory. However, the mechanism's editor found clues to solve this problem. Browsing the existing page, I found that there is a line in the body of about us that is different from other lines. Click here to have a look.
Visit and you will find other files.
Remember that this page will be used in other levels later.
Sixth level: admin section
The administration page for the site is required. The first thought is to sweep around with the sword, but I didn't find the management background. (and the environment has been destroyed) this makes me confused. I can only guess. I tried several common back-end admins and administrators, but they didn't succeed. In fact, if you are good at English, you can find it from the description. Access the administration section of the store. Try the administration to find the back-end page.
Close 7: Zero stars
Request a 0 star rating for the site. This problem is simple. Find out the evaluation page and find that it is impossible to evaluate without hitting stars. One guess is the verification of the front end. Two methods are one to modify the page code so that it can be submitted with 0 stars, and the other is to use burp to grab the package and change the star rating after normal evaluation.
Eighth: login admin
Requires an administrator's user account to log in. At this time, we don't know what format the login account of this website is. We can only try to log in with a universal password at the login place. This is the second error message with great value. According to the error message & quote; select * from users where email = &ා39; &ා39; &ා39; and password = &ා39; c4ca4238a0b923820dcc509a6f75849b & #39; & quote; To construct the universal password 'or 1 = 1 -- + after login, the login account is found to be the admin account.
It is required not to change the password, not to use SQL injection, to obtain the correct [email] admin @ juice-sh.op [/ email] account. As soon as I saw the title, I knew that it must be a weak password. (the account name of admin can be seen in your basket.
Level 10: basketball access
Ask to add items to someone's cart. This problem is obviously ultra vires. Use burp to grab the package to view the process of adding goods to the shopping cart. Click Add shopping cart, and grab the package to find / rest / basket / 1 on the link. Change 1 here to other numbers. You can add items to other people's shopping carts.
11th level: forgotten sales backup
Ask for access to backup files forgotten by the salesperson. This problem needs to finish the fifth pass first. In the fifth pass, an FTP page is found. Here are several documents. We can know the meaning of these documents through the English meaning. Among them, the documents left by the salesperson can only be coupons'2013.md.bak (preferential volume). Click to find that it cannot be downloaded. The file format does not allow downloading.
Ask to inform the store in the comments that he is using an algorithm or inventory at risk. This question is to find out which simple algorithms are used in this website, the most common ones are URL encoding and Base64 encoding. I guess this problem. I can't find the weak encryption place. Please give me some advice if you have done it. Enter Base64 in the comments to pass.
Dear friends, this issue will be shared here first, and the next level will be updated in the next issue. If you are interested, you can set up an environment and roll up. Welcome to share your learning experience.
参考链接:http://www.cnblogs.com/ichunqiu/p/7778053.htmlhttps://github.com/bkimminich/pwning-juice-shop/blob/master/part2/README.md