USING WEB PROXIES ZAP Scanner

Hi could anyone give me a hint on the vulnerability to find for the question “Using Web Proxies” in the "Zap Scanner " Chapter ? I ran both ZAP and Burp Scanner but the vulnerabilities which came up seem to require a bit too much effort for a 1point question.

Although I don’t have any help to offer, I did get a little further. I did the spider, active scan and the ajax spider scan, but only found medium vulnerabilities. The question clearly says to look for the high alert. BTW, I am very new and don’t know much. I then ran several active scans on other urls within this scope. I eventually found a high alert in the url: http://167.71.132.9:32741/devtools/ping.php?ip=127.0.0.1%26cat+%2Fetc%2Fpasswd%26

When you open this in the browser and view source, it shows lots of information that appears to be the login and passwords for users. This site explains how to use them: https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/ and I’m sure that is very useful in the right hands, but I couldn’t figure much out from there.

It appears like we should alter the url to send a command such as cat flag.txt or ls, but I can’t make anything work other than the command from ZAP. I also looked at the references from ZAP but again, I couldn’t get any further. I tried %26ls%26,

Edit: So, while typing, I guess I figured something out on accident. If you use %3B (which is a semicolon) instead of %26, then you can perform almost any command. I just found this on another site from the OWASP command injection reference. I then just did the normal looking around with ls commands until I found the flag. And if you are new like me, don’t forget that you can use ls on any directory without leaving your current one. Start at the top with ls /; and then you can do the same with cat / so you don’t have to change directory. Hope this helps!

1 Like

I don’t know how you scanned devtools/ping.php? Ip=127.0.0.1% 26cat+% 2Fetc% 2Fpasswd% 26, I did not find it through burp and zap scanning.

But according to the prompts, you should cat /flag. txt instead of flag. txt. I successfully found the flag. I hope it will help you

I managed to find the flag. But I didn’t get a high alert indication. Even after running spider, ajax, and active scans.

Also did not get a high alert from either Zap or Burp Suite Pro. Curious what steps I missed.

As mentioned above: http://x.x.x.x:PORT/devtools/ping.php?ip=127.0.0.1%26cat+/flag.txt