Wargame/Web
보호되어 있는 글입니다.
보호되어 있는 글입니다.
보호되어 있는 글입니다.
![](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fc34Z3y%2Fbtsshn1HaD6%2FWehZcsfMzEXEq5vg5igRQ0%2Fimg.png)
https://app.hackthebox.com/challenges/152 Hack The Box app.hackthebox.com [문제] [풀이] #참고 : https://watchout31337.tistory.com/177 이 사이트는 Flask/Jinja2로 구동중이라는 것을 알고있다. URL 조작 시 입력된 페이지가 없다는 오류 페이지가 출력된다. Jinja의 문법은 {{ }} 로 되어있다. {{7*7}}를 입력하면 49로 출력된다. 이 문제는 SSTI 취약점을 이용하는 문제이다. {{config}}를 입력해서 설정되어있는 목록을 확인할 수 있다. {{''.__class__.__mro__}} 를 입력해서 root 클래스에 접근한다. {{''.__class__.__mro__[1].__subclas..
![](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fc6pAAD%2FbtssgG07sHH%2FJZffjoZKuIS04Z4jWA2L6k%2Fimg.png)
https://portswigger.net/web-security/cross-site-scripting/contexts/lab-href-attribute-double-quotes-html-encoded Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded | Web Security Academy This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert ... portswigger.net [문제] [풀이] 코멘트를 달면 ..
![](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FcuCmZc%2Fbtssgt1UnDH%2FA2PMo8X9It77EqCIMpQLz1%2Fimg.png)
https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload Lab: Remote code execution via web shell upload | Web Security Academy This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's ... portswigger.net [문제] [풀이] Web Shell 공격으로 /home/carlos/secret 파일을 ..
![](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FItecJ%2FbtsrR0rqflp%2F6IpIo1zGBAVjpaMUCjUSg0%2Fimg.png)
https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter-with-unpredictable-user-ids Lab: User ID controlled by request parameter, with unpredictable user IDs | Web Security Academy This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs. To solve the lab, find the GUID for ... portswigger.net [..