FUMP - In Testbed with Naxsi
This is a Naxsi-Testbed with a handfull of vulnerable test-apps. Beside Naxsi-CoreRules you'll also find Doxi-Rules applied.
See this link to the setup with a detailed setup-description.
You're in here for BsidesHN @ 20.03.2015 in Hanover? look here!
If you manage to break in and access any information you shouldnt, please contact us via firstname.lastname@example.org; if you dont reject it, you'll will be credited on the Credits-Section below If your finding leads to an improvement of naxsi you'll be given a tshirt (please allow 2 weeks shipping, if you're outside of europe)
- get some sql-injection working against a very vulnerable the sqli-page, enumerate the db-banner, databases, tables, count of entries in the tables etc (GET works as well as POST)
- perform path-traversal through the path-traversal-page and read /etc/passwd
- get some remote file inclusion through our remote-file-inclusion-page working and perform some local commands (uname -a or similar)
- get some reflected XSS working through this xss-page
- inject a string like "/etc/passwd" via http-request-splitting (chunking)
- POST invalid JSON via this JSON-Test
- Hacking Naxsi Workshop @ BSidesHH 28.12.2014