TryHackMe: Complete Beginner
- author:: Nathan Acks
- date:: 2021-10-07
OWASP Top 10
(Severity 09) Components With Known Vulnerabilities
The trickiest part of this is that the project is called “CSE Bookstore”, but the exploit code in ExploitDB is listed under “Online Book Store”.
The actual vulnerability is two-fold:
(1) Admin image uploads bypass authentication.
(2) There’s no check on what actually gets uploaded, so we can push up a PHP script instead of an actual image.
OWASP Juice Shop
AH! Don’t Look!
Finally, a useful piece of general knowledge.
Some languages use null bytes to know when a string terminates, rather than tracking the actual string length (it looks like PHP is one of these). If a null byte (generally? always? encoded as
%00) is included in a string, then everything after that byte is dropped by the interpreter.
Because % characters are themselves special, null bytes need to be encoded in URLs as
Typically a null byte will either be inserted at the end of a string (to prevent a common suffix from being appended, which can sometimes allow us to exfiltrate files we wouldn’t otherwise have access to) or before a “fake” file extensions (which can cause some file-type checks to pass, again allowing us to download files we’d otherwise be denied access to).
The best way to defend against these attacks is to simply sanitize strings by explicitly removing any null bytes they contain.
$sanitized_string = str_replace(chr(0), '', $original_string);
Who’s Flying This Thing?
Broken access control vulnerabilities can be classified into one of two types:
- HORIZONTAL privilege escalation allows the attacker to perform actions as a different user with the same permissions they currently have.
- VERTICAL privilege escalation allows the attacker to perform actions as a different user with higher permissions then they currently have.
Where Did That Come From?
In addition to the
<iframe/> tag by setting the
src attribute to the
javacript: pseudo-protocol. For example:
A useful HTTP header to know about:
True-Client-IP supplies an override for the client IP address to the server (similar to
X-Forwarded-For with proxies).
The lesson of this section: Don’t trust any user input, even HTTP headers!