Aquaboutic | Focus Security Research | Vulnerability Exploit | POC

 Home

share your technology and add some temperature for safety

Posted by loope at 2020-03-29
all

Continue the content of the previous article and go down to the next level. Students who want to know how to build can refer to the first article. Link: hacker game

0x02 play

Order the Christmas special offer of 2014

Request to add a 2014 Christmas item to cart. First, go to the search office to search, and find that there are SQL errors in the search Office (errors are reported by single quotation marks as before). You can see the complete query statement.

Add shopping cart and then settle, you can pass this pass.

14. Reset Jim & ා39; s password

Ask to reset Jim's password by forgetting the password function to answer the correct security question. Use the forget password function to find out that Jim's security question is your eldest siblings middle name?

Close 15: login Jim

You are required to log in with Jim's account. Here you can use the reset password to log in or use the universal password to construct Jim's universal password to log in.

16: login bender

Login to Bender's account is required. Use universal password to construct Bender's universal password login.

Level 17: XSS tier 2

Requires & lt; script & gt; alert & quot; xss2 & quot;) & lt; / script & gt; to construct a storage type cross site. The first idea is to build a storage type cross site database. It is found that it has been filtered. Finally, the account at the registered account can be written to the database.

Pass 18: XSS Tier 3

It is required to use & lt; script & gt; alert & quot; xss3 & quot;) & lt; / script & gt; to construct a storage type cross site and not only the first page display. (translation is a little strange, English is not good, everyone forgive me) see this problem is really quite obscure and don't understand what is to do, go to see the official instructions, according to the official method to do one side, brother Doo's environment collapsed!!! I tried 5-6 times, and I collapsed, too. Here we share the official solutions. 1. Log in with any account 2. Use burp to grab the authorization of HTTP header 3. Http://192.168.239.128:3000/api/products, and post the data at the link. {& quot; name & quot;: & quot; xss3 & quot;, & quot; Description & quot;: & quot; & lt; script & gt; alert (\ & quot; xss3 \ & quot;) & lt; / script & gt; & quot;, & quot; price & quot;: 47.11} note that authorization must be brought here. 4. A pop-up box may appear in the search area.

5. Click the new xss3 product description to see the pop-up box.

It's a bit endless. The page of this new product feels like it needs code audit to find out. You are welcome to communicate with brother Doo if you have different ideas and opinions after finishing this question.

19th: user credentials

SQL injection is required to list the user name and password. First, the user name and password can be known according to the error reported by the login office in the user table. According to the registration office, there are columns such as ID (user ID), email (user name), password (password), etc. in the user table. In the SQL injection of the search office, the user name and password can be echoed by joint query (the echoable page of the search Office). Through joint query and judgment of column name and echo, it can be seen that there are 8 columns, and the echo page will be displayed in 2, 3 and 4 places.

Bring in the column name to echo the user name and password.

20th level: Forged feedback

Ask for a comment using someone else's name. After logging in, you can grab the package and modify the userid in the comments office to use others for comments.

Twenty one: payback time

The more you ask for, the richer you will be. It can be seen from the first sight that there is a problem with the transaction. It is speculated that either the order quantity can be modified to a negative number, or the amount can be modified to a negative number. After testing, the order quantity can be modified to a negative number.

Level 22: forgotten developer backup

Requires access to backup files that developers have forgotten. This problem will immediately recall the previous FTP directory.

0x03 To be continued

Reference link: https://github.com/bkimminich/pwning-justice-shop/blob/master/part2/readme.md

© 2023