Deleting data from database by user input

There are different programming languages currently in use, of which some are open source while others are proprietary. Open source basically refers to a program in which the source code is available to the public, free of cost, for use or for modification from its original design.

Here we will Deleting data from database by user input for which we will use programmatic method with the help of PHP and MYSQL .

Syntax of PHP

 <?php

 //Content goes here 

?>

deletingdata.php

<!DOCTYPE html>
<html>
<head>
<title>Deleting Data</title>

<style>

body {
	background: linear-gradient(to right, #1e5799 0%, #3ccdbb 20%, #16c9f6 100%);
	
}

.form-css
{
	top: 50%;
	left: 50%;
	transform: translate(-50%, -50%);
	position: absolute;
	background-color: white;
	border: 2px solid black;
	border-radius: 20px;
	padding: 50px;
}


.avatar-image img
{
	 justify-content: center;
	 top: 0%;
	 left: 50%;
	 transform: translate(-0%, -50%);
	position: absolute;
	border: 1px solid black;
    border-radius: 50%;	
	
}

button {
	font-family: sans-serif;
	padding: 5px;
	cursor: pointer;
}


</style>




</head>

<body>
<div class="container">

<form action="controller/deletingdata-db.php" method="POST" class="form-css">
<div class="avatar-image">
<img src="image/avatar.png"  alt="avatar">
</div>
<br />
<br />
<label>Delete Data with ID Number</label>
<br />
<br />
<input type="text" name="id" placeholder="Enter ID Number">
<br />
<br />
<button type="submit" name="submit">Deleting Data</button>

</form>
</div>

</body>
</html>

Then again we will create a new file called deletingdata-db.php and this file related with above the program for database as a mediator.

deletingdata-db.php

<?php


require_once("connectionstring.php");


$id = $_POST["id"];


if(!$conn)
{
die("Connection Problem : " . mysqli_connect_error());
}


$sql = "Delete FROM logintable WHERE id='$id'";


if(mysqli_query($conn, $sql))
{
	echo "<br>";
	echo "<br>";
    echo "It has been deleted.";
	echo "<br>";
	echo "<br>";
	echo "<a href='../gettingdata.php'>Getting Data From Database</a>";
	echo "<br>";
	echo "<br>";
	echo "<a href='../deletingdata.php'>Deleting Data From Database</a>";
 
}
else {
	echo "<br>";
	echo "<br>";
    echo "Error. This name does not have an ID in our Database : " . mysqli_error($conn);
	echo "<br>";
	echo "<br>";
	echo "<a href='../gettingdata.php'>Getting Data From Database</a>";
	echo "<br>";
	echo "<br>";
	echo "<a href='../deletingdata.php'>Deleting Data From Database</a>";
}


mysqli_close($conn);
  
 
?>

output

Explaination

=> require_once("connectionstring") - This will produce a fatal error and stop the script.

OR

=> include() - This will produce a warning and the script continue.



=> $conn is our new variable.


=> mysqli_connect() - The mysqli_connect() function attempts to open a connection to the MySQL Server running on host which can be either a host name or an IP address.


Passing the NULL value or the string "localhost" or variable name to this parameter.

Now we will check the connection whether the connection is working successfully or not!!  Actually here we will  "if and else" condition.


=> die()  - The die() function prints a message and exits the current script.


=> mysqli_connect_error() - This will produce a mysqli connection error and whats the reason of failure.


=> $sql - its a variable but in this variable we store the mysql query for select id, email
password from table according to user input ID.



=>  mysqli_query() -  mysqli_query() what it returns. The return value could be a boolean(true/false)



 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Fetching data from database by user input

There are different programming languages currently in use, of which some are open source while others are proprietary. Open source basically refers to a program in which the source code is available to the public, free of cost, for use or for modification from its original design.

Here we will Fetching data from database by user input for which we will use programmatic method with the help of PHP and MYSQL.

Syntax of PHP

 <?php

 //Content goes here 

?>

gettingdata.php

<!DOCTYPE html>
<html>
<head>
<title>Getting Data</title>

<style>

body {
	background: linear-gradient(to right, #1e5799 0%, #3ccdbb 20%, #16c9f6 100%);
	
}

.form-css
{
	top: 50%;
	left: 50%;
	transform: translate(-50%, -50%);
	position: absolute;
	background-color: white;
	border: 2px solid black;
	border-radius: 20px;
	padding: 50px;
}


.avatar-image img
{
	 justify-content: center;
	 top: 0%;
	 left: 50%;
	 transform: translate(-0%, -50%);
	position: absolute;
	border: 1px solid black;
    border-radius: 50%;	
	
}

button {
	font-family: sans-serif;
	padding: 5px;
	cursor: pointer;
}


</style>




</head>

<body>
<div class="container">

<form action="controller/gettingdata-db.php" method="POST" class="form-css">
<div class="avatar-image">
<img src="image/avatar.png"  alt="avatar">
</div>
<br />
<br />
<label>Enter ID Number</label>
<input type="text" name="id" placeholder="Enter ID Number">
<br />
<br />
<button type="submit" name="submit">Getting Data</button>

</form>
</div>

</body>
</html>

gettingdata-db.php

<?php


require_once("connectionstring.php");

$id = $_POST["id"];

	
	
if(!$conn)
{
	die("Connection failed : " . mysqli_connect_error());
	
}



$sql = "SELECT id, email, password FROM logintable WHERE id='$id'";

$result = $conn -> query($sql);

if($result -> num_rows > 0)
{
	//output data of each row
	while($row = $result -> fetch_assoc())
	{
		
		
	echo "id : " . $row ["id"] . " - email : " .
		$row ["email"] . " | Password : " . $row ["password"] . "<br>";
	
	echo "<br>";
	echo "<br>";
	echo "<a href='../deletingdata.php'>Deleting Data From Database</a>";
    echo "<br>";
	echo "<br>";
	echo "<a href='../gettingdata.php'>Getting Data From Database</a>";


	}
}
else {
	echo " 0 results ";
	echo "<br>";
	echo "<br>";
	echo "<a href='../deletingdata.php'>Deleting Data From Database</a>";
	echo "<br>";
	echo "<br>";
	echo "<a href='../gettingdata.php'>Getting Data From Database</a>";

}

mysqli_close($conn);
	

?>

output

Explaination

=> require_once("connectionstring") - This will produce a fatal error and stop the script.

OR

=> include() - This will produce a warning and the script continue.



=> $conn is our new variable.


=> mysqli_connect() - The mysqli_connect() function attempts to open a connection to the MySQL Server running on host which can be either a host name or an IP address.


Passing the NULL value or the string "localhost" or variable name to this parameter.

Now we will check the connection whether the connection is working successfully or not!!  Actually here we will  "if and else" condition.


=> die()  - The die() function prints a message and exits the current script.


=> mysqli_connect_error() - This will produce a mysqli connection error and whats the reason of failure.


=> $sql - its a variable but in this variable we store the mysql query for select id, email
password from table according to user input ID.


=> $result -> $conn -> query() - For successful queries which produce a result set, such
as SELECT, SHOW, DESCRIBE or EXPLAIN , mysqli_query() will return a mysqli_result object.
For other successful queries, mysqli_query() will return true .


=>  mysqli_query() -  mysqli_query() what it returns. The return value could be a boolean(true/false)


=>  mysqli_fetch_assoc() - This function fetches a result row as an associative array.
Note: Fieldnames returned from this function are case-sensitive.



 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

There are different programming languages currently in use, of which some are open source while others are proprietary. Open source basically refers to a program in which the source code is available to the public, free of cost, for use or for modification from its original design.

Here we will create table in database section for which we will use programmatic method with the help of PHP and MYSQL .

Write a program to Add Content in Table with the help of PHP and MySQL ? 

Syntax of PHP

 <?php

 //Content goes here 

?>

<?php

require_once("connectionstring.php");

$host = 'localhost';
$user = 'root';
$pwd = '';
$db = 'loginpanel';

$conn = mysqli_connect($host, $user, $pwd, $db);

// connection check

if(!$conn)
{
	die("Connection failed : " . mysqli_connect_error());
}


$sqltable = "INSERT INTO `logintable` (`id`, `email`, `password`) 
VALUES ('3', 'kumaratuljaiswal.com@gmail.com', 'truth@.inatul#!43')";



if(mysqli_query($conn, $sqltable))
{
		echo "Adding Table Content Created Successfully";
}
else 
{
	echo "Error adding table content : " . mysqli_error($conn);
}




mysqli_close($conn);



?>

 Explaination

 => $host = 'localhost';  $host is a variable which is used to store a value like localhost and localhost
is our server.


=> $user = 'root'; $user as it same just like above the sentence but here is one difference and the difference
is that its a user like root user of our xampp machine localhost.


=> $pwd = '';   

In this variable here is empty value of $pwd variable because we dont want any type of problem means no need of authentication.


=> $db = 'loginpanel'; - Loginpanel is our database name.


Now you must be thinking what is this authentication!! dont worry click here for more information.


=> $conn is our new variable.


=> mysqli_connect() - The mysqli_connect() function attempts to open a connection to the MySQL Server running on host which can be either a host name or an IP address.


Passing the NULL value or the string "localhost" or variable name to this parameter.

Now we will check the connection whether the connection is working successfully or not!!  Actually here we will  "if and else" condition.


=> die()  - The die() function prints a message and exits the current script.


=> $sqltable - its a variable but in this variable we store the mysql query for inserting content in  table
according to our demand.


=>  mysqli_query() -  mysqli_query() what it returns. The return value could be a boolean(true/false)

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

There are different programming languages currently in use, of which some are open source while others are proprietary. Open source basically refers to a program in which the source code is available to the public, free of cost, for use or for modification from its original design.

Here we will create table in database section for which we will use programmatic method with the help of PHP and MYSQL .

Write a program to create a Table and its column with the help of PHP and MySQL ? 

Syntax of PHP

 <?php

 //Content goes here 

?>

<?php

$host = 'localhost';
$user = 'root';
$pwd = '';
$db = 'loginpanel';

$conn = mysqli_connect($host, $user, $pwd, $db);



if(!$conn)
{
	die("Network Problem");
	
}

$sql = "CREATE TABLE `loginpanel`.`logintable` ( `id` INT NULL AUTO_INCREMENT , `email` VARCHAR(50) NOT NULL , 
           `password` VARCHAR(100) NOT NULL , PRIMARY KEY (`id`))";
		 

$result = mysqli_query($conn, $sql);

if($result) 
{
	echo  "The table has been created successfully";
}
else {
	echo "The table has not been created because of this error ---> " .mysqli_error($conn);
}


?>

 Explaination

 => $host = 'localhost';  $host is a variable which is used to store a value like localhost and localhost
is our server.


=> $user = 'root'; $user as it same just like above the sentence but here is one difference and the difference
is that its a user like root user of our xampp machine localhost.


=> $pwd = '';   

In this variable here is empty value of $pwd variable because we dont want any type of problem means no need of authentication.


=> $db = 'loginpanel'; - Loginpanel is our database name.


Now you must be thinking what is this authentication!! dont worry click here for more information.


=> $conn is our new variable.


=> mysqli_connect() - The mysqli_connect() function attempts to open a connection to the MySQL Server running on host which can be either a host name or an IP address.


Passing the NULL value or the string "localhost" or variable name to this parameter.

Now we will check the connection whether the connection is working successfully or not!!  Actually here we will  "if and else" condition.


=> die()  - The die() function prints a message and exits the current script.


=> $sql - its a variable but in this variable we store the mysql query for creating a table and its column
according to our demand.


=>  mysqli_query() -  mysqli_query() what it returns. The return value could be a boolean(true/false)

Simply run in your favourite browser by xampp server

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

There are different programming languages currently in use, of which some are open source while others are proprietary. Open source basically refers to a program in which the source code is available to the public, free of cost, for use or for modification from its original design.

Here we will create database for which we will use programmatic method with the help of PHP and MYSQL .

Write a program to create a Database with the help of PHP and MySQL ? 

 Syntax of PHP

 <?php

 //Content goes here 

?>

NOTE - // double forward slash is the comment in PHP.

<?php

$host = 'localhost';
$user = 'root';
$pwd = '';

$conn = mysqli_connect($host, $user, $pwd);



if(!$conn )
{
	die("Connection failed : " . mysqli_connect_error());
}


$sql = "CREATE DATABASE loginpanel";

if(mysqli_query($conn, $sql))
{
	echo "Database created successfully";
}
else {
	echo "Error Creating Database : " . mysqli_errno($conn);
}
mysqli_close($conn);


?>

Explaination

=> $host = 'localhost';  $host is a variable which is used to store a value like localhost and localhost
is our server.


=> $user = 'root'; $user as it same just like above the sentence but here is one difference and the difference is that its a user like root user of our xampp machine localhost.


=> $pwd = '';   

In this variable here is empty value of $pwd variable because we dont want any type of problem means no need of authentication.

Now you must be thinking what is this authentication!! dont worry click here for more information.

=> $conn is our new variable.


=> mysqli_connect() - The mysqli_connect() function attempts to open a connection to the MySQL Server running on host which can be either a host name or an IP address.

Passing the NULL value or the string "localhost" or variable name to this parameter.

Now we will check the connection whether the connection is working successfully or not!!  Actually here we will  "if and else" condition.

=> die()  - The die() function prints a message and exits the current script.

=> mysqli_connect_error() - PHP mysqli_connect_error() function returns an string value representing the description of
the error from the last connection call, incase of a failure. If the connection was successful
this function returns Null.

=>  mysqli_error()  - The mysqli_error() function is used to return the error in the most recent MySQL function call that failed.

=>  mysqli_query()-  mysqli_query() what it returns. The return value could be a boolean(true/false)

=>  mysqli_close() - The close() / mysqli_close() function closes a previously opened database connection.

Simply run in your favourite browser by xampp server

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Get started with Cyber Security in 25 days, by learning the basics and completing a new, beginner friendly security exercise every day leading up until Christmas; an advent calendar but with security challenges and not chocolate.


Hey Guys! Sorry for the delay but, we are back with Day 6 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Day 5 challenge click here.


This challenge is again based on Web Exploitation and the task is named

Patch Management is Hard

DAY 6

Story


During a routine security audit before the Incident, McSkidy discovered some recovery passwords on an old server. She created a ticket to decommission this server to reduce this security vulnerability. The Elf assigned to fix this vulnerability kept pushing off the task, and this never got done. Luckily, some of those recovery keys can be used to save some systems.

Unfortunately, the only way to access the server is through an old web application. See if you can pull out those recovery keys to help McSkidy with her pursuit to save Christmas.



Learning Objectives of the day

1.     What is LFI?
2.     How to perform LFI?
3.     How to elevate from LFI to RCE?

Let us understand the concepts targeted for today first!

What is LFI?

An LFI vulnerability is found in various web applications. As an example, in the PHP, the following functions cause this kind of vulnerability:

1.     include
2.     require
3.     include_once
4.     require_once

    
    

It is a web application vulnerability that allows the attacker to include and read local files on the server. These files could contain sensitive data such as cryptographic keys, databases that contain passwords, and other private data. An LFI vulnerability happens due to a developer’s lack of security awareness. In some cases, developers need to include the content of other local files within a specific page. Suppose a developer includes files without proper input validation. In that case, the LFI vulnerability will exist as a developer should never trust user input and keep all inputs from users to be filtered and sanitized. The main issue of these vulnerabilities is the lack of input validation, in which the user inputs are not sanitized or validated, and the user controls them.


You should read the content given with the challenge for the best understanding of LFI



Q1.Deploy the attached VM and look around. What is the entry point for our web application?

Ans :- err

Q2.Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

We first go to our entry point and replace the error.txt file with ‘/etc/passwd’ file just to check if we can get it!

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false 

Yes we have access, but normally we shouldn’t have that!

Now we check for /etc/flag and voila!

Ans :- THM{d29e08941cf7fe41df55f1a7da6c4c06}

Q3.Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?

We use the PHP filter technique to read the code for index.php by using :

php://filter/convert.base64-encode/resource=

https://10-10-247-133.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=index.php

Once we find the base64 encoding for it, we go to https://www.base64decode.org/ and decode it for our answer!

Or

You can use the base64 command in terminal...


echo "aplhanumeric character" | base64 -d

echo "PD9waHAgc2Vzc2lvbl9zdGFydCgpOwokZmxhZyA9ICJUSE17NzkxZDQzZDQ2MDE4YTBkODkzNjFkYmY2MGQ1ZDllYjh9IjsKaW5jbHVkZSgiLi9pbmNsdWRlcy9jcmVkcy5waHAiKTsKaWYoJF9TRVNTSU9OWyd1c2VybmFtZSddID09PSAkVVNFUil7ICAgICAgICAgICAgICAgICAgICAgICAgCgloZWFkZXIoICdMb2NhdGlvbjogbWFuYWdlLnBocCcgKTsKCWRpZSgpOwp9IGVsc2UgewoJJGxhYk51bSA9ICIiOwogIHJlcXVpcmUgIi4vaW5jbHVkZXMvaGVhZGVyLnBocCI7Cj8+CjxkaXYgY2xhc3M9InJvdyI+CiAgPGRpdiBjbGFzcz0iY29sLWxnLTEyIj4KICA8L2Rpdj4KICA8ZGl2IGNsYXNzPSJjb2wtbGctOCBjb2wtb2Zmc2V0LTEiPgogICAgICA8P3BocCBpZiAoaXNzZXQoJGVycm9yKSkgeyA/PgogICAgICAgICAgPHNwYW4gY2xhc3M9InRleHQgdGV4dC1kYW5nZXIiPjxiPjw/cGhwIGVjaG8gJGVycm9yOyA/PjwvYj48L3NwYW4+CiAgICAgIDw/cGhwIH0KCj8+CiA8cD5XZWxjb21lIDw/cGhwIGVjaG8gZ2V0VXNlck5hbWUoKTsgPz48L3A+Cgk8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1kYW5nZXIiIHJvbGU9ImFsZXJ0Ij5UaGlzIHNlcnZlciBoYXMgc2Vuc2l0aXZlIGluZm9ybWF0aW9uLiBOb3RlIEFsbCBhY3Rpb25zIHRvIHRoaXMgc2VydmVyIGFyZSBsb2dnZWQgaW4hPC9kaXY+IAoJPC9kaXY+Cjw/cGhwIGlmKCRlcnJJbmNsdWRlKXsgaW5jbHVkZSgkX0dFVFsnZXJyJ10pO30gPz4KPC9kaXY+Cgo8P3BocAp9Cj8+</div>" | base64 -d

Answer :-  THM{791d43d46018a0d89361dbf60d5d9eb8}

Q4.McSkidy forgot his login credential. Can you help him to login in order to recover one of the server’s passwords?

Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?

Using the same base64 encoding of index.php file, we also see that there is ./includes/creds.php which has the credentials.

https://10-10-231-193.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php

We do the same process and use the PHP filter process to go to this file and then decode it and get the credentials!

Answer:- McSkidy:A0C315Aw3s0m

Q5.Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server?

We have the username and password, we login and we see a fe options!

We know we have to recover the password, so we go on password recovery

Answer:- THM{552f313b52e3c3dbf5257d8c6db7f6f1}

Q6.The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

We send in a CURL command in order to test the logs and see how it shows.


curl -A "TESTIN TESTING" http://10-10-88-123.p.thmlabs.com/login.php

the “-A” option helps us set the User Agent and we see TESTIN TESTING as user agent


Now, we do the same, instead with a little php payload to display the phpinfo!

Now to check the log file we need to go to “./includes/logs/app_access.log”, but, for that, we need to go to another window where we a re not logged in to actually check it!

And we see the PHP info file in the logs!!!!!

We can see the hostname directly in the phpinfo in the System column

Answer:- lfi-aoc-awesome-59aedca683fff9261263bb084880c965


The question does ask for RCE, but the this task can be completed without RCE!

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

We are back with Day 5 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Previous Day challenge click here.

This challenge is again based on Web Exploitation and the task is named Pesky Elf Forum. TryHackMe Web Exploitation Pesky Elf Forum XSS

Learning Objectives:

• What is an XSS vulnerability?
• What Types of XSS vulnerabilities are there?
• Challenge Walkthrough.

What is an XSS vulnerability?


Cross-Site Scripting, better known as XSS in the cybersecurity community, is classified as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.


If you can get JavaScript to run on a victim’s computer, there are numerous things you can achieve. This can range from stealing the victim’s cookies to take over their session, running a keylogger that will log every key the user presses on their keyboard while visiting the website, redirecting the user to a totally different website altogether or performing some kind of action on the website such as placing an order, or resetting their password etc.

What types of XSS vulnerabilities are there?

1. DOM
2. Reflected
3. Stored
4. Blind

Let’s Get Started..

1. What flag did you get when you disabled the plugin?

Login using Username: McSkidy Password: password

Leave a comment on any post as Follow <a href="https://www.kumaratuljaiswal.in">kumaratuljaiswal.in</a>


 

Once your comment is posted, you’ll see that the word ‘kumaratuljaiswal.in’ has been underlined.

This means the comment is reflected as you wrote it without the underline HTML tags being stripped out. As this isn’t being stripped out, you can try the HTML script tags instead to see if the website will run any JavaScript that is entered.



Using the URL, you found earlier for changing the user’s password, you can try the following payload:


<script>fetch('/settings?new_password=pass123');</script>

 

The <script> tag tells the browser we want to run some JavaScript, and the fetch command makes a network request to the specified URL.

After posting the above as a comment, you could view the webpage source to see whether it has been shown correctly. The screenshot below shows us that the script tags aren’t being stripped out or disabled and, in fact, are working:


 

Now that we have this XSS running on the forum, it means that any logged in users viewing the thread will automatically have their password changed to pass123. So let’s log out and see if the Grinch has visited the thread by trying to log in as them (It may take up to a minute before the Grinch visits the page and their password changes).

Username: grinch

Password: pass123

Once logged in, go to the settings page again, and this time, you’ll discover another feature with the option to disable the Christmas to Buttmas plugin.


 

Disable the plugin, and you’ll be awarded a flag.

Done :-)

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.