본문 바로가기

Web Hacking/Dreamhack

 (52)
[Dreamhack] Relative Path Overwrite write up index.php Relative-Path-Overwrite Home Vuln page Report 기본적으로 page의 인자로 오는 값에 따라 페이지를 렌더링 하고 있다. index.php에서는 '..', ':', '/'를 필터링 하고 있기 때문에 path Traversal로 인한 LFI 취약점은 일어나지 않는다. vuln.php filter.js를 로드하고 있다. filter.js에서는 'script', 'on', 'frame', 'object' 키워드 필터링을 통해 XSS 공격을 막고 있다. vuln.php에서는 DOM객체로 html에 접근하여 param이라는 ID를 갖는 태그에 param에 입력받는 값을 html로 추가하고 있다. report.php / http://127.0.0.1/ Report..
[Dreamhack] CSS Injection write up 지금까지 푼 웹해킹 문제 중 가장 오래 걸렸다.. CSS Injection인 만큼, 사용자 입력 값이 CSS 값으로 들어가는 부분을 눈여겨 봐야한다. 코드가 긴 만큼 핵심 코드만 살펴볼 생각이다. #!/usr/bin/python3 import hashlib, os, binascii, random, string from flask import Flask, request, render_template, redirect, url_for, session, g, flash from functools import wraps import sqlite3 from selenium import webdriver from selenium.webdriver.chrome.service import Service from sel..
[Dreamhack] Client Side Template Injection write up #!/usr/bin/python3 from flask import Flask, request, render_template from selenium import webdriver from selenium.webdriver.chrome.service import Service import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) nonce = os.urandom(16).hex() try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FLAG**]" def read_url(url, cookie={"name": "name", "value": "value"}): cook..
[Dreamhack] CSRF Advanced write up #!/usr/bin/python3 from flask import Flask, request, render_template, make_response, redirect, url_for from selenium.webdriver.common.by import By from selenium import webdriver from selenium.webdriver.chrome.service import Service from hashlib import md5 import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FL..
[Dreamhack] CSP Bypass Advanced write up #!/usr/bin/python3 from flask import Flask, request, render_template from selenium import webdriver from selenium.webdriver.chrome.service import Service import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) nonce = os.urandom(16).hex() try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FLAG**]" def read_url(url, cookie={"name": "name", "value": "value"}): cook..
[Dreamhack] CSP Bypass write up - 티스토리 #!/usr/bin/python3 from flask import Flask, request, render_template from selenium import webdriver from selenium.webdriver.chrome.service import Service import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) nonce = os.urandom(16).hex() try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FLAG**]" def read_url(url, cookie={"name": "name", "value": "value"}): cook..
[Draemhack] XSS Filtering Bypass Advanced write up - 티스토 #!/usr/bin/python3 from flask import Flask, request, render_template from selenium import webdriver from selenium.webdriver.chrome.service import Service import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FLAG**]" def read_url(url, cookie={"name": "name", "value": "value"}): cookie.update({"domain": "127.0.0..
[Dreamhack] XSS Filtering Bypass write up - 티스토리 #!/usr/bin/python3 from flask import Flask, request, render_template from selenium import webdriver from selenium.webdriver.chrome.service import Service import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FLAG**]" def read_url(url, cookie={"name": "name", "value": "value"}): cookie.update({"domain": "127.0.0..

티스토리툴바