Cookie Injection,Java Script Injection & Sql Injection Method
From the navigation and source code of pages, we gather following information:
|Register pages||Register.php > register2.php||
|Login pages||login1.php > login2.php||
|Purge files||cleardir.php||<input type=’hidden’ name=’dir’ value=’loginSQLFiles’>|
|Transfer money from one account to another||movemoney.php||
Authentication cookie (created after successful authentication):
- Name: Garry Hunter
- Transfer $10,000,000 into the account dropCash.
- Log directory: logFiles
Objective 1: Find the account of Gary Hunter
By scrolling down, we find:
GaryWilliamHunter : — $$$$$ —
The 2 values are separated by a colon:
- Before colon: the login (GaryWilliamHunter)
- After colon: the description (– $$$$$ –)
Objective 2: Move the $10,000,000 into the account dropCash
By entering following code in the URL, we see that the site is vulnerable to cookie injection because it displays in clear cookie information.
Install Firebug and Firecookie for Firefox. We then have to change value of cookie named “accountUsername” to “GaryWilliamHunter” and use following JS injection (copy/paste in the URL):
It will dynamically write a form on the page, containing necessary values for a transfer:
- FORM ACTION: movemoney.php, as specified in the exercise
- FROM: value taken from the modified cookie (GaryWilliamHunter)
- TO: value of dropCash, as stated in the exercise. We know this field from the information we gathered.
- AMOUNT: value specified in the exercise. We know this field from the information we gathered.
By validating the form, it will complete the stage.
Objective 3: Clear The Logs, They’re held in the folder ‘logFiles’
Copy/paste following code in the URL:
PS: You can also use the Firefox add-on “Tamper Data” or Google Chrome’s “Inspect Element” option instead of Firecookie and Firebug.