WEB-PenetrationTest

🔙 HOME

https://github.com/w181496/Web-CTF-Cheatsheet

Recon

• Common
  • Version
  • Info Leak
  • Git
• Scan Software

Frontedend

https://chromewebstore.google.com/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj

• Cookie
• Hash
• XSS
  • Introtuction
  • Self-XSS
  • Blind-XSS
  • Reflected XSS
  • Stored XSS
  • DOM-based XSS
  • XSS worm
  • Lab
  • Reference
• XSS Payload Prevent Bypass
  • XSS Payload
  • XSS Prevent and Bypass
  • CSP
  • CSP Bypass
  • CSP Exfiltration
  • Lab
• CSS Injection
• Prototype Pollution
• DOM Clobbering

  <input name="toString" value="evil">
  <script>
    alert(document.forms[0].toString); // 被污染了
  </script>

• Lax + POST
• Context-aware XSS
• Electron-Based 一個讓開發者能用 HTML、CSS、JavaScript 打包成跨平台桌面應用程式的框架 他整合了:Chromium(提供GUI渲染)、Node.js(提供系統級功能) https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own https://www.youtube.com/watch?v=TMh_WbF9VnM
• HTML to RCE 點開網頁就會出現小算盤 https://github.com/CrackerCat/CVE-2021-30632/blob/main/CVE-2021-30632.html

Backend

• SQL Injection
  • UNION:用UNION來將兩個語句合在一起
  • ERROR:透過錯誤訊息來取得資料
  • BOOLEAN:透過布林結果來判斷條件
  • TIME:透過Sleep來判斷條件
  • Out-Of-Band:讀檔、寫檔
• NoSQL Injection
  • Introduction
  • NoSQL - Common base
  • NoSQL - Blind base
  • Lab
• Code Injection
  • Simple Calculator
  • Code Injection function
  • Prevent Code Injection
  • Lab
• Command Injection
  • Source
  • Command Injection
  • Bypass Blacklist
  • Argument Injection
• SSRF
  • SSRF
  • URL - RFC3986
  • Blacklist
  • Whitelist Google
  • After DNS Resolution
  • Domain Obfuscator
  • Abusing URL Parsers
  • Lab
• XXE
  • XML
  • DTD
  • XXE
  • Lab
• CRLF Injection
• SSTI - Server side template Injection
• Serialization SSTI

PHP

• PHP Slogan
• Weak Type
• WebShell
• Path Traveral
• Local File Inclusion
• php wrapper
• LFI to RCE
• Lab

Tool

• https://pipedream.com/requestbinstbin
• Webshell
  • China Chopper 中國菜刀 : 通信不加密，流量特徵明顯易被發現，普通防火牆可徵測
  • AntSword 蟻劍 : 菜刀的升級版，支持Plugins與加密，但加密方式有跡可循，高級防火牆可偵測
  • Behinder 冰蠍 : 專攻隱身、動態繞過檢測，每次通信動態加密密鑰，惡意程式不落地，企業級攻防時常使用
  • Godzilla 哥斯拉 : 全能型攻防對抗天花板

LAB

1. Switch to the path where the docker-compose.yml file is located for each question.

# Start docker

# old version
docker-compose up -d
# new version
docker compose up -d

2. Restart and rebuild docker

# old version
docker-compose up --build --force-recreate 
# new version
docker compose up --build --force-recreate 

3. Question status

# old version
docker-compose ps
# new version
docker compose ps

# logs
docker compose logs -f

WebGoat

Soure

https://hackmd.io/@sunfrancis12/S1K5KDpf1l