Differences
This shows you the differences between two versions of the page.
|
isc:labs:07 [2024/11/18 09:50] florin.stancu |
isc:labs:07 [2025/11/17 10:35] (current) florin.stancu |
||
|---|---|---|---|
| Line 126: | Line 126: | ||
| </code> | </code> | ||
| * Connect to the application using [[http://localhost:8080/]] (assuming you forwarded the port correctly) | * Connect to the application using [[http://localhost:8080/]] (assuming you forwarded the port correctly) | ||
| + | * Note:if you're running this inside WSL2, replace localhost with the IP address of the VM: ''ip addr show''! | ||
| * Login with ''test:test''; you fail to get any flag... try to become ''admin''! | * Login with ''test:test''; you fail to get any flag... try to become ''admin''! | ||
| * The most common approach when testing for SQL Injection is to input an apostrophe (''%%'%%'') in any of the provided fields ([[https://security.stackexchange.com/questions/67972/why-do-testers-often-use-the-single-quote-to-test-for-sql-injection]]) | * The most common approach when testing for SQL Injection is to input an apostrophe (''%%'%%'') in any of the provided fields ([[https://security.stackexchange.com/questions/67972/why-do-testers-often-use-the-single-quote-to-test-for-sql-injection]]) | ||
| Line 149: | Line 150: | ||
| To workaround that, simply change XSS injection strategy to use ''onerror'' attribute on a invalid image, e.g.: | To workaround that, simply change XSS injection strategy to use ''onerror'' attribute on a invalid image, e.g.: | ||
| ''%%<img src='/404' onerror='alert("hello")'>%%'' | ''%%<img src='/404' onerror='alert("hello")'>%%'' | ||
| + | </note> | ||
| + | <note warning> | ||
| + | DO NOT EDIT the entire ''%%<div class="ql-editor" contenteditable="true">%%'' element! The JavaScript WISIWYG editor has internal reference to this node, and if you invalidate it, the editor will become broken (and the exploit won't work!!!). | ||
| + | |||
| + | The proper way is to choose a inner ''%%<p>%%'' (just write some random text inside the editor beforehand) and edit that instead! | ||
| </note> | </note> | ||
| Line 157: | Line 163: | ||
| * Unfortunately, **there's no flag for this one**, you just need to prove you modified the slogan using XSS! | * Unfortunately, **there's no flag for this one**, you just need to prove you modified the slogan using XSS! | ||
| - | <spoiler You you've never used JS DOM API: expand> | + | <spoiler If you've never used JS DOM API: expand> |
| <code html> | <code html> | ||
| // note: you need to concatenate this as a one-liner when injecting as 'onerror' | // note: you need to concatenate this as a one-liner when injecting as 'onerror' | ||
| Line 221: | Line 227: | ||
| * Once you found it, try to find the hidden source code flag! | * Once you found it, try to find the hidden source code flag! | ||
| * Hint: try to guess the path to a [[https://docs.npmjs.com/files/package.json|well-known file]] that all NodeJS projects have! It may reference the main script's name! | * Hint: try to guess the path to a [[https://docs.npmjs.com/files/package.json|well-known file]] that all NodeJS projects have! It may reference the main script's name! | ||
| - | * You can try using a tool: [[https://cirt.net/nikto2|nikto]], ''apt install nikto'' | + | * You can try using a dirbuster-like tool: [[https://github.com/OJ/gobuster|gobuster]] (+ a web sites [[https://github.com/danielmiessler/SecLists|word list]]) |
| <solution -hidden> | <solution -hidden> | ||
