1. (2.5 points) XSS + Session Hijack 1
There is a really shoddy looking message board running at h”p://10.8.1.106/a9q1/index.php
You can login using with username=<student id> and password=<studen!d> (you can’t change the password)
Try sending benign messages to yourself (and maybe your friends).
There is a super secret page (/a9q1/secret.php) which can only be viewed by the hacklab_admin user.
The hacklab_admin user is reloading index.php every 60 seconds (using a tool called Puppeteer)
Hijack hacklab_admin’s session and get the secret
There shouldn’t be any SQL or command injec!ons — you can save !me by not trying
Please DO NOT use BeEF or any other automated framework.
All posts will be erased every 30 minutes because
Please be considerate of your classmates and
Test your script against yourself ﬁrst
Don’t post inﬁnite loops or scripts that results in errors
Don’t forget to check your tun0 address (10.8.0.X)
You might want to cookiemonster.php).
2. (2.5 points) XSS + Session Hijack 2
Same deal as Q1, with a diﬀerent URL and secret: h#p://10.8.1.106/a9q2/index.php
Note that the program now use the PHP htmlen!!es() func!on properly when outpu$ng the message!
Look for another XSS injec!on point (send a test message to yourself, and don’t forget to check the page source!)
3. (2.5 points) XSS + Session Hijack 3
Same deal as Q1 and Q2, with a diﬀerent URL and secret: h#p://10.8.1.106/a9q3/index.php
Almost all HTML tags are stripped, but certain tag is allowed on this board
Hint: This game h#ps://xss-game.appspot.com/ is fun — have a go.
4. (2.5 points) CSRF
There is kind of a banking system running on h#p://10.8.1.106/a9q4/index.php
You can send money to anyone on the system, including hacklab_admin (you cannot send to yourself).
You can send a message with a transac!on, but only <a> tag is allowed. Everything else is stripped.
The hacklab_admin user is reloading their index.php page every minute or so, and is clicking on every link that
appears in the messages.
Cra% a link that will result in hacklab_admin sending money to you. Once you have a balance of $1000, the secret
will be revealed to you.
Convert POST to GET
The messages are overwri#en as “deleted” every 30 minutes to avoid clu#er and to avoid the hacklab_admin
having to click on hundreds of links.
本网站支持 Alipay WeChatPay PayPal等支付方式
E-mail: email@example.com 微信号:vipnxx