Нулевой заказ (Null Order)

hackerlab

Task: Order Manager web app with hidden API parameters in JavaScript. Solution: Analyzed JS code to find ext parameter, changed file extension from .order to .txt to read flag file via Arbitrary File Read.

javascript_analysis lfi php arbitrary_file_read file_extension_manipulation parameter_tampering

Arbitrary File Read via extension parameter manipulationClient-side JavaScript analysis for hidden parameters

$ ls tags/ techniques/

javascript_analysis lfi php arbitrary_file_read file_extension_manipulation parameter_tampering

Arbitrary File Read via extension parameter manipulationClient-side JavaScript analysis for hidden parameters

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Секрет (Secret)— hackerlab
[web][Pro]Заметки (Notes)— hackerlab
[web][Pro]board_of_secrets— miptctf
[web][Pro]Обычная страница— hackerlab
[web][Pro]PDF Library— hackerlab