in this repository i write the solutions for the hacker101 challenges. If you have some better solutions, feel free to share!
Note: for those challenges you should use web browser without XSS auditor. I used firefox.
I might miss some exploits, so feel free to suggest some
- CSRF:
Viewing the page source, there is no CSRF protection. so we can create POC of CSRF for sending money to our account.
you use burp/any other tool for that. - IDOR:
Looking at the transfer money request, we see there are "to" and "amount" fields. if we intercept the request, and change the "to" to our bank id, and add
from=1in the body payload, we can transfer money from the bank account with the id 1 to our account. - Reflected XSS:
Clicking on the
personal payment link, we navigate to a site with url paramto, and the value of this to param is inside theDestination accountinput. But, this field is not vulnerable to XSS (or at least i didnt succeed to).
But, adding to the url...&amount=value, we see that this value is in the amount field. so using the payload...&amount="><img src="/" onerror="alert(1)", will result in alert popup. - Reflected XSS:
Using the same payload we used in 3, we place this payload in amount input field and press
Transfer. it will result in validation error about not being integer, and an alert popup.
(They wrote in the source that they have 4 vulns. im not sure if this is the 4th, but i couldnt find anything else. so if you found something else, lmk)
- CSRF: Althought there is a csrf token in the post comment, the backend only validates the token length (32). so passing any string with the same length, will result in succesfully csrf vulnerability.
- Stored XSS:
Following the first comment we see, it looks like every link in the comment becomse
<a>.
So using the payloadhttp://a.b.c"/onmouseover="alert(1), when user will hover his mouse over our comment, the script will be executed. - Forced Browsing:
Clicking the
Permalinkfor any comment, will navigate us to/post?id=1337(real story with the 1337
Changing the id to any other id, will allow us to see what posts other users wrote.
Moreover, passing an id that is not exist in the system, will allow us to see the Trceback. - Im not sure what is the fourth vuln (they wrote there are 4). I didnt succeed to find another XSS vuln, so my guess is the 4th is csrf for post details.
- Stored XSS:
We can run code through the description of the user. if we change it to something like
... [green"onmouseover="alert(1)" | text1 ] ..., mouse hovering the text1 will result in alert popup. - Stored XSS:
We can run code using the Profile picutre URL. notice that it validate that the URL ends in PNG/JPG/ICO, so using the payload
"><img src="/" onerror="alert(1)" a=".pngwill result in alert popup when we look at our profile. - Stored XSS: The same as 2, but when we are in the edit page.
- Reflected XSS:
Pressing the
Link to your profilelink will navigate us to a page with the url...?id=OUR_ID. changing this id toblablabla, will lead us to page which reflects our blablabla id. so using the url?id=a<script>alert(1)</script>will lead to XSS. - Reflected XSS:
In the edit profile, there is
idurl param. this id is reflected to theactionattribute in the form tag.
changing the URL to...?id=1"><img src="/" onerror="alert(1), will result in the alert popup. - Unrelated Bonus:
Ok, so they wrote there is this "Unrelated Bonus", so im not sure this is the vuln, but i couldnt find anything better:
We can place any domain in the image url, which allows us to serve an image with malicious payload that contain js.
- Improper Authorization:
Looking at the source code, it seems that the code will show
<a>if the user has a cookie withadmin=1value in it.
So after changing the admin=0 to admin=1 in the cookie, a new link appear. - Stored XSS:
After clicking the
Edit pagelink, we can edit the page title and body.
placing in both the payload<h1>a</h1>, shows that the body is vulnerable to XSS, but it blocks the<script>tag.
so using the payload<img src="/" onerror="alert(1)">, we succesfully see the alert popup. - Stored XSS:
Looking at the page source, we can see that the
<title>tag contains the page title (the one we can edit).
so changing the title to</title><script>alert(1)</script>, will result in succesfull XSS. - CSRF: The edit page form has no CSRF defense mechanism.
Sorry, but i didnt do this level. when i entered the challenge, i got like 10 alerts. seems like there is no sandbox for each user, so i prefered to move on to the next challenges.
- Reflected XSS:
Clicking on the
ebooks/link, we navigate toURL?path=/ebooks, and we have a title in the documentDocument Repository -- /ebooks/. this looks like an options for reflected XSS, and indeed it is.
changing the path url param to<script>alert(1)</script>, we will see the alert popup. - Path Traversal:
Seems like the site lists the files in the directory we supply through "path" url param.
Changing the path to../../../../../../../../etc, will list all the files in this dirctory.
tip: when you are in the root, you can keep do more '../'s. if you are already in the root dir, you will still be in the root dir. so when you have path traversal, just do some more ../ to be more sure you reach the root dir - Command injection:
It looks like
Search in directoryform search inside all the files in the current dir for the string we pass. so i looked at google forlinux search string in files, and seems like the command it run on the server is something likegrep -rnw 'DIRECTORY' -e 'TEXT_TO_SAERRCH'.
Moreover, seems like if no matches were found, it returns empty page. so to exploit this feature, i used the payloadq" && ls -la", and on the bottom of the list i indeed saw a result ofls -lacommand.
- Reflected XSS:
Using the filter input, we see the value we place there will be shown to the url in the next screen. so using malicious payload, like
a"><img src="/" onerror="alert(1)", will resolve in a message alert - Stored XSS:
Let's try to check the firstname & lastname fields of the students.
In edit page, those values are placed in input tags. if we place malicious payload"><img src="/" onerror="alert(1)">in the last name and submit, the next time we will edit this same student, we will have an alert popup. - SQL Injection:
The filter form is vulnerabile to SQLi, using the payloads
qq' OR 1='1--will result in returning all the students. - CSRF: The filter form has no CSRF token, you can easily generate CSRF page (using burp/any other tool) and see it.
- IDOR (Not listed in the vuln list):
When we go to the edit student list, the student id is passed through the url param.
Changing the id to an id that is not listed in our students table, like1111, will result in a student data, probably there are students for every one who try to solve this challenge. we will not be able to edit the student details, but still we can see it.
- Reflected XSS:
So the first thing we will try is XSS.
Password field was vulnerable to XSS; using the payload"><img src="/" onerror="alert(1), i've succesfully saw the alert popup. - SQL Injection:
We will use the default admin value that we had, and using random password, we will get the informative 'Invalid password', and using username other than
admin, we getUser does not exist.
using the payloadQQ' OR 1='1--, we get the message 'Invalid password', which means we bypassed the username filter in the sql query.
using the payload'as the username, we can see the sql query; It tries to get the password of the user with the username we pass. so, using the payload=QQ' UNION SELECT '12345, we return to the query result the password '12345', and if we send this password in the form, we bypass the authentication
- Reflected XSS:
The mime type value is vulnerable to reflected XSS. intercepting the request and changing the Content-Type from
image/jpeg(or whatever file type you try to upload) toContent-Type: image/jpeg<img/src="a/"/onerror="console.log(1)">will result in XSS