The tasks posted in this repo are ported from the SEED Labs: https://seedsecuritylabs.org/labs.html. The credits go to Prof. Wenliang Du and his group at Syracuse.
(For VMWare user, please refer to "VMWareSetup.md" )
- Install VirtualBox;
- Download a pre-built SEED VM from Google Drive or Direct Download Link
- Create a new VM from the pre-built VM disk.
- Open the VirtualBox, click "New"
- Create a Virtual Machine as the picture shows
- Choose the "Use an existing virtual hard disk file" , and the hard disk file is the pre-built VM disk file downloaded above.
- Start the Virtual Machine
I finished the first experiment and want to do the second one, but there are problems with the service startup
When you complete your first experiment (such as XSS or CSRF), please stop the former docker containers by executing docker-compose down under the "Labsetup" path. ( or just reboot the VM ) Then follow the "Set up the Web Security environment" instructions.
It is recommended to complete different experiments under different paths. eg. download "Labsetup.zip" for XSS to ~/Downloads/XSS/ , and download "Labsetup.zip" for CSRF to ~/Downloads/CSRF/
When visiting some hosts (www.attacker32.com, www.seed-server.com), the browser took me to GoDaddy
Please check the /etc/hosts file inside the VM, and make sure IP and hosts correct. It should be noted that these names might have already been added to the file due to some other
labs. If they are mapped to different IP addresses, the old entries must be removed. You can also manually edit this file with sudo, and the sample looks like the following:
10.9.0.5 www.seed-server.com
10.9.0.5 www.example32.com
10.9.0.105 www.attacker32.com
And try use "New Private Window", because the cache will be cleared after closing the browser.
Inside the Lab VM:
- Open a Terminal
- Download the required file:
wget --no-check-certificate -c https://seedsecuritylabs.org/Labs_20.04/Files/Web_XSS_Elgg/Labsetup.zip - Run
unzip Labsetup.zip && cd Labsetup - Edit the hosts file, and add a line at the end of the
/etc/hostsfile, eg:echo 10.9.0.5 www.seed-server.com | sudo tee -a /etc/hosts - Run
docker-compose up -d - Open a browser, and visit
www.seed-server.com - Username:
alice, Password:seedalice; or Username:boby, Password:seedboby
(Run docker-compose down to shut down the server, if you finished this section. )
Inside the Lab VM:
- Open a Terminal
- Download the required file:
wget --no-check-certificate -c https://seedsecuritylabs.org/Labs_20.04/Files/Web_CSRF_Elgg/Labsetup.zip - Run
unzip Labsetup.zip && cd Labsetup - Edit the hosts file, and add a line at the end of the
/etc/hostsfile, eg:echo 10.9.0.5 www.seed-server.com | sudo tee -a /etc/hosts;echo 10.9.0.5 www.example32.com | sudo tee -a /etc/hosts;echo 10.9.0.105 www.attacker32.com | sudo tee -a /etc/hosts - Run
docker-compose up -d - Open a browser, and visit
www.seed-server.com - Username:
alice, Password:seedalice; or Username:samy, Password:seedsamy - Edit the attacker's pages: run
dockpsto check the container "attacker"'s id, and usedocksh <container id>to edit attacker's html inside a container. eg:
[02/13/22]seed@VM:~/.../Labsetup$ dockps
53856dffc574 attacker-10.9.0.105
ca925c10bf2c elgg-10.9.0.5
50ea207fc673 mysql-10.9.0.6
[02/13/22]seed@VM:~/.../Labsetup$ docksh 53856dffc574
root@53856dffc574:/# cd /var/www/attacker/
root@53856dffc574:/var/www/attacker# nano addfriend.html
Inside the Lab VM:
- Open a Terminal
- Download the required file:
wget --no-check-certificate -c https://seedsecuritylabs.org/Labs_20.04/Files/Web_SQL_Injection/Labsetup.zip - Run
unzip Labsetup.zip && cd Labsetup - Edit the hosts file, and add a line at the end of the
/etc/hostsfile, eg:echo 10.9.0.5 www.seed-server.com | sudo tee -a /etc/hosts - Run
docker-compose up -d - Open a browser, and visit
www.seed-server.com - Username:
alice, Password:seedalice; or Username:admin, Password:seedadmin
You can edit Boby's profile from this link: http://www.seed-server.com/profile/boby/edit
Make some changes, so that an Alert Window will be prompted:
Boby commented on a post of Alice, when Alice views the comment, Alice's cookie will be stolen.
You may need to write some Javascript code to send the victim's cookie to your server
Alice and Samy. Samy wants to become a friend to Alice, but Alice refuses to add him to her Elgg friend list. Samy decides to use the CSRF attack to
achieve his goal. He sends Alice an URL (via an email or a posting in Elgg); Alice, curious about it, clicks on the URL, which leads her to Samy’s web site: www.attacker32.com. Pretend that you are Samy, describe how you can construct the content of the web page, so as soon as Alice visits the web page, Samy is added to the friend list of Alice (assuming Alice has an active session with Elgg).
You need to edit the addfriend.html insider the attacker-10.9.0.105 container, and the page can be accessed from http://www.attacker32.com/addfriend.html
Samy plans to use a CSRF attack to modify Alice's profile.
The PHP code unsafe home.php is located in the /var/www/SQL_Injection directory.
[02/13/22]seed@VM:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3abc9ed9486b seed-image-www-sqli "/bin/sh -c 'service…" 9 minutes ago Up 9 minutes www-10.9.0.5
5dcc12432c92 seed-image-mysql-sqli "docker-entrypoint.s…" 9 minutes ago Up 9 minutes 3306/tcp, 33060/tcp mysql-10.9.0.6
[02/13/22]seed@VM:~$ dock
docker dockerd docker-proxy docksh
docker-compose docker-init dockps
[02/13/22]seed@VM:~$ docksh 3abc9ed9486b
root@3abc9ed9486b:/var/www# cd /var/www/SQL_Injection/
root@3abc9ed9486b:/var/www# nano unsafe_home.phpUse the login page from www.seed-server.com , User DB:
Name Employee ID Password Salary Birthday SSN Nickname Email Address Phone#
Admin 99999 seedadmin 400000 3/5 43254314
Alice 10000 seedalice 20000 9/20 10211002
Boby 20000 seedboby 50000 4/20 10213352
Ryan 30000 seedryan 90000 4/10 32193525
Samy 40000 seedsamy 40000 1/11 32111111
Ted 50000 seedted 110000 11/3 24343244
You need to execute a new SQL statement using the SQL injection vulnerability.
HINT: You can simply use curl to verify SQL Injection vulnerabilities, eg. curl 'www.seed-server.com/unsafe_home.php?username=alice%27&Password=11'. You will find that the server says there is an SQL statement error:
The PHP code unsafe_home.php, located in the /var/www/SQL_Injection directory inside the www docker container, is used to conduct user authentication. Think about why this problem occurs by locating the relevant php code.
You also need to think about this question, why did I enter my username as admin'# and the server directly let me log in, no matter what password I input ?
http://www.seed-server.com/unsafe_home.php?username=admin%27%23&Password=anypass
The PHP code was implemented in unsafe_edit_backend.php file.
Use SQL injection vulnerability to modify any user's information.
The experiments involved in this course are from Syracuse SEED labs, and on this basis, they are modified to adapt to the environment of the class. The modified experimental documents still follow the GNU Free Documentation License.