Skip to content
Lesser Known Web Attack Lab
CSS Hack PHP JavaScript Dockerfile
Branch: master
Clone or download
Latest commit a8e6853 Jan 11, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
api Delete test.php Dec 23, 2019
css Add Files Dec 15, 2019
images Add files via upload Jan 11, 2020
img Add Files Dec 15, 2019
jquery Add Files Dec 15, 2019
js Add Files Dec 15, 2019
objectInjection Update sidebar.php Jan 7, 2020
objectInjection_cookie Update sidebar.php Jan 7, 2020
objectref Update sidebar.php Jan 7, 2020
phar_deserial Create readme.md Jan 8, 2020
rce Update sidebar.php Jan 7, 2020
scss Add Files Dec 15, 2019
ssrf fixed bug Jan 8, 2020
variables Update variable.php Jan 7, 2020
vendor Add Files Dec 15, 2019
xssi Update sidebar.php Jan 7, 2020
Dockerfile Add Dockerfile and docker-compose configuration Jan 7, 2020
README.md Update README.md Jan 11, 2020
content.php Add Files Dec 15, 2019
docker-compose.yml Add Dockerfile and docker-compose configuration Jan 7, 2020
footer.php Add Files Dec 15, 2019
gulpfile.js Add Files Dec 15, 2019
index.php Add Files Dec 16, 2019
sidebar.php fix link Jan 8, 2020

README.md

LKWA

Lesser Known Web Attack Lab is for intermediate pentester that can test and practice lesser known web attacks such as Object Injection, XSSI, PHAR Deserialization, variables variable ..etc. Write-ups are welcome. My own walk-through is here .

Installation

Just clone the git with git clone https://github.com/weev3/LKWA and move it to your web server and you are good to go.

  • For XSSI, challenge you need to change Allow Override None to Allow Override ALL in apache2.conf file.
  • For PHAR Deserialization, you need to change phar.readonly = On to phar.readonly = Off in php.ini setting.

Installation - Docker

Just run docker-compose up inside the Docker folder and open the browser on http://localhost:3000.

Current Vulns

  • Blind RCE
  • XSSI
  • PHAR Deserialization
  • PHP Object Injection
  • PHP Object Injection via Cookies
  • PHP Object Injection (Object Reference)
  • SSRF
  • Variables variable

Image of Yaktocat

Contributors

  • Edoardo Rosa (@edoz90)
You can’t perform that action at this time.