[Owasp-o2-platform] How to change a parameter?

Thiago Stuckert thiago.melo.stuckert at gmail.com
Wed Dec 8 08:20:55 EST 2010


Sorry for the late feedback.
The script worked for me. =)
But I fail to open the 'WebGoat BlackBox exploits', I have to install
something before?
Follow the error attached.
Thank you for your support, Thiago.


On 3 December 2010 12:44, dinis cruz <dinis.cruz at owasp.org> wrote:

> Hi Thiago
>
> Thanks for giving O2 a try, I've looked at your script and have come up
> with a *first-pass-at-a-solution* which you can get from here:
> http://o2platform.wordpress.com/2010/12/03/solving-webgoat-sql-injection-lesson-3rd-one/
>
> Expanding on how the blog's entry description on I solved the problem you
> where having (i.e. how to change the value of the* ie.selectLists()[1].options()[0].select()
> *field), here are the specific steps/workflow I took to address it:
>
>
>    - See if there is an Watin_IE extension method that already supports
>    this (see Watin_IE_ExtensionMethod.cs<http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/Windows/WatiN/WatiN_IE_ExtensionMethods.cs>for the full list). Unfortunately, today (unlike TextBoxes for example) that
>    is not there (basically because nobody asked for it before :)  ). Also note
>    that this version of WatiN doesn't support the direct editing of this value,
>    i.e.: *ie.selectLists()[1].options()[0].Value = PAYLOAD*
>    - Since there was no easy way to change it (and I was pressed for
>    time), I decided to manipulate directly the HTML (instead of creating the
>    extension method):
>       - First I tried to change the value of the Option directly: *ie.selectLists()[1].options()[0].outerHtml("PAYLOAD")
>       *which although worked in the control, it broke the HTML of the page
>       - I then decided to change the select control directly, ie: *
>       ie.selectLists()[1].outerHtml("PAYLOAD") *which worked ok (note that
>       that actual payload was a search and replace for the current value of the
>       option we wanted to edit
>    - Once the Html was modified, it was just a case of submitting the
>    button using *ie.button("ViewProfile").click(); *
>    - I also added a check at the end to make sure it was working
>
> Couple notes:
>
>    - This script can be dramatically simplified once we add support for
>    modifying the Options Html tag to the Watin_IE_ExtensionMethod.cs<http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/APIs/Windows/WatiN/WatiN_IE_ExtensionMethods.cs>).
>    There is also a number of debug message that I put in this code to help
>    understanding what is going on (which can be removed)
>    - There is actually an WebGoat API which could be used to perform a
>    number of actions (see API_WebGoat.cs<http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/_Sample_Vulnerabilities/WebGoat/API_WebGoat.cs>
>    )
>    - This script should be converted into an UnitTest with the final check
>    done using an Assert.That(...)
>    - For performance reasons this script can also be written without IE
>    Browser automation (O2 also has extended support for direct Http
>    Requests/Responses manipulations)
>    - One of the research projects that I'm doing at the moment (and could
>    really do with some help) is how to 'translate' this script into something
>    that can be consumed by an BlackBox scanner or proxy (one of my targets is
>    Custom O2 version of Netsparker <http://www.mavitunasecurity.com/> that
>    I'm building)
>
> Let us know if this works out for you
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
>
>   On 3 December 2010 13:12, Thiago Stuckert <
> thiago.melo.stuckert at gmail.com> wrote:
>
>>  Hi, I am trying to solve the third stage of WebGoat sqli through the O2.
>> I can select the larry profile in the list with:
>> ie.selectLists()[1].options()[0].select().flash();
>> but I fail to change the value of the paramater id.
>>
>> Another way to do this, is intercept the request with webscarab,
>> Someone automated the webscarab with O2?
>>
>> Follow my script:
>>
>> panel.clear();
>> var ie = panel.add_IE().silent(true);
>>
>> ie.open("http://172.16.234.138");
>> ie.link("OWASP WebGoat version 5.3.x").click();
>> ie.link("Injection Flaws").click();
>> ie.link("LAB: SQL Injection").click();
>> ie.link("Stage 3: Numeric SQL Injection").click();
>>
>> /*Login with larry user*/
>> ie.field("password").value("larry");
>> ie.button("Login").flash().click();
>>
>> ie.selectLists()[1].options()[0].select().flash();
>> var payload = "101 OR 1=1 ORDER BY salary desc";
>>
>> /*Change the id*/
>> /* I couldnt do this */
>>
>> ie.button("ViewProfile").click();
>>
>> return 0;
>>
>> --
>> Thiago
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>


-- 
Thiago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20101208/b1127116/attachment.html 
-------------- next part --------------
?[9:06:38 AM] ERROR:      InnerException:    at O2.DotNetWrappers.ExtensionMethods.Control_ExtensionMethods.controls(Control control, Boolean recursiveSearch)
   at O2.DotNetWrappers.ExtensionMethods.Control_ExtensionMethods.controls(Control control)
   at O2.DotNetWrappers.ExtensionMethods.Control_ExtensionMethods.controls(Control control, Boolean recursiveSearch)
   at O2.XRules.Database.WebGoat.WebGoat_BlackBox_Exploits.launchExploitExecutionEnvironemnt()
   at O2.XRules.Database.WebGoat.WebGoat_BlackBox_Exploits.launchGui()  StackTrace:

   at O2.DotNetWrappers.ExtensionMethods.Control_ExtensionMethods.controls(Control control, Boolean recursiveSearch)
   at O2.DotNetWrappers.ExtensionMethods.Control_ExtensionMethods.controls(Control control)
   at O2.DotNetWrappers.ExtensionMethods.Control_ExtensionMethods.controls(Control control, Boolean recursiveSearch)
   at O2.XRules.Database.WebGoat.WebGoat_BlackBox_Exploits.launchExploitExecutionEnvironemnt()
   at O2.XRules.Database.WebGoat.WebGoat_BlackBox_Exploits.launchGui()


[9:06:38 AM] ERROR:      InnerException: Object reference not set to an instance of an object. Object reference not set to an instance of an object.
[9:06:38 AM] ERROR: in reflection.invokeMethod_InstanceStaticPublicNonPublic  StackTrace:

   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters)
   at O2.Kernel.InterfacesBaseImpl.KReflection.invoke(Object oLiveObject, MethodInfo methodInfo, Object[] methodParameters)


[9:06:38 AM] ERROR: in reflection.invokeMethod_InstanceStaticPublicNonPublic Exception has been thrown by the target of an invocation.
[9:06:38 AM] ERROR: CompilationErrors:

0::0::CS0006::Metadata file 'O2_Core_XRules.dll' could not be found::
0::0::CS0006::Metadata file 'O2_External_O2Mono.dll' could not be found::
[9:06:38 AM] ERROR: Compilation failed
[9:06:38 AM] ERROR: [CSharp_FastCompiler] Compilation Error: 0::0::CS0006::Metadata file 'O2_External_O2Mono.dll' could not be found::
[9:06:38 AM] ERROR: [CSharp_FastCompiler] Compilation Error: 0::0::CS0006::Metadata file 'O2_Core_XRules.dll' could not be found::
[9:06:37 AM] INFO: Compiling Source Code (Size: 5396)
[9:06:37 AM] INFO: Sleeping for: 100 mili-seconds
[9:06:37 AM] INFO: found cached compiled assembly: C:\O2\_tempDir\12-1-2010\tmpA6D1.tmp.dll
[9:06:37 AM] DEBUG: Ast parsing was OK
[9:06:37 AM] DEBUG: in getCachedCompiledAssembly, found cached assembly for script/md5hash with size '28' to cached assembly 'C:\O2\_tempDir\11-16-2010\tmp3308.tmp.dll'
[9:06:37 AM] DEBUG: in getCachedCompiledAssembly, found cached assembly for script/md5hash with size '23' to cached assembly 'C:\O2\_tempDir\12-1-2010\tmp7A22.tmp.dll'
[9:06:37 AM] INFO: Compiling Source Snippet (Size: 4739)
[9:06:37 AM] INFO: Sleeping for: 100 mili-seconds
[9:06:37 AM] INFO: Setting CurrentScript to: C:\O2\O2Scripts_Database\_Scripts\_Sample_Vulnerabilities\BlackBox - Exploit Execution.h2
[9:06:37 AM] DEBUG: Compilation was OK
[9:06:33 AM] INFO: Compiling Source Code (Size: 5413)
[9:06:33 AM] INFO: Sleeping for: 100 mili-seconds
[9:06:33 AM] INFO: found cached compiled assembly: C:\O2\_tempDir\12-1-2010\tmp5D72.tmp.dll
[9:06:32 AM] INFO: Setting CurrentScript to: C:\O2\O2Scripts_Database\_Scripts\_Sample_Vulnerabilities\WebGoat\WebGoat_BlackBox_Exploits.cs
[9:06:32 AM] INFO: Setting CurrentScript to: C:\O2\O2Scripts_Database\_Scripts\_Sample_Vulnerabilities\WebGoat\WebGoat_BlackBox_Exploits.cs
[9:06:23 AM] INFO: Testing logging: Info Message
[9:06:23 AM] DEBUG: Testing logging: Debug Message


More information about the Owasp-o2-platform mailing list