Aleyna
This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header. To solve the lab, access the admin panel and delete the user carlos. Lab link. We try to access the /admin URL. …
Lab link. This lab has an admin panel at /admin. It’s only accessible to logged-in users with a roleid of 2. Solve the lab by accessing the admin panel and using it to delete the user carlos. You can log in to your own account using the following credentials: wiener:peter We log in with the account information provided and try …
Lab link. This lab has an admin panel at /admin, which identifies administrators using a forgeable cookie. Solve the lab by accessing the admin panel and using it to delete the user carlos. You can log in to your own account using the following credentials: wiener:peter We log in to the account using the user credentials provided. If …
Lab link. This lab has an unprotected admin panel. It’s located at an unpredictable location, but the location is disclosed somewhere in the application. Solve the lab by accessing the admin panel, and using it to delete the user carlos. Look at the source code of the site, you can go with Ctrl+U. This JavaScript code …
Lab link. This lab has an unprotected admin panel. Solve the lab by deleting the user carlos. We visit the robots.txt file. This prevents the specified user agent (in this case all bots) from accessing the URL path /administrator-panel. In other words, the website does not want search engines to crawl the /administrator-panel directory. Try to …
Lab link. This lab has a “Check stock” feature that embeds the user input inside a server-side XML document that is subsequently parsed. Because you don’t control the entire XML document you can’t define a DTD to launch a classic XXE attack. To solve the lab, inject an XInclude statement to retrieve the contents of the /etc/passwd file. XInclude is a …
Lab link. This lab has a “Check stock” feature that parses XML input but does not display the result. To solve the lab, use an external DTD to trigger an error message that displays the contents of the /etc/passwd file. The lab contains a link to an exploit server on a different domain where you can host …
Lab link. If the application has taken precautions for the file extension, there are several ways to bypass this precaution. In this lab, we use the null byte method to bypass the file extension blocking. In Requesat’s response, we see that our file was uploaded correctly. In the GET /files/avatars/ we correct our file name …
Lab link. The application has used a blacklist for security, but if we upload the .htaccess file, we can allow any file extension we want on the server. The file with the .php extension does not work. We make changes to the POST /my-account/avatar request. Now we can upload files with .l33t extension. We change …
Lab link. In some systems, there may be more than one vulnerability, or we may continue with a different vulnerability in the continuation of one vulnerability. In this lab, we can upload files thanks to path traversal. In the lab, we are asked to access the file /home/carlos/secret. We create a php file to access …