HACKINTOANETWORK

WEB APPLICATION BUG HUNTER, PENETRATION TESTER

CTF/Incognito 4.0

To summarize this CTF challenge, it could be solved by performing a NoSQL injection attack. The challenge provided a login and registration feature, as well as a functionality to check the existence of an email and whether an account had admin privileges. The ultimate goal of the challenge was to log in with an admin account, so I had to find an account with "isAdmin" set to true. Payload import..

2023. 2. 19.

CTF/Incognito 4.0

This CTF challenge is an SSRF challenge with some additional filtering compared to the "get flag1" challenge that was previously solved. The challenge provides a URL form where a user can input a URL, and the goal is to bypass the filtering and trigger an SSRF attack. Payload http://0x7f.0x00.0x00.0x01:9001/flag.txt The payload used to trigger the SSRF attack is the URL "http://0x7f.0x00.0x00.0x..

2023. 2. 19.

CTF/Incognito 4.0

This CTF challenge is a simple SSRF challenge When you access the challenge, there is a URL form where you can input a URL. Payload http://0.0.0.0:9001/flag.txt Exploit By entering "http://0.0.0.0:9001/flag.txt" into the URL form, you can trigger an SSRF vulnerability. FLAG : ictf{l0c4l_byp4$$_323theu0a9}

2023. 2. 19.

CTF/DiceCTF 2023

이 문제는 CRC32B 해시 알고리즘 기반의 CSP를 우회하여 RXSS를 트리거 하는 것이 핵심이다. 문제의 소스코드는 다음과 같다.

2023. 2. 6.

Exploit/Exploit

XSS via filename Node.js third-party modules disclosed on HackerOne: [tianma-static]... hackerone.com create filename start tianma-static xss fired XSS via Metadata Shopify disclosed on HackerOne: XSS Stored via Upload avatar PNG... hackerone.com Exiftool를 사용하여 메타데이터에 xss 페이로드 쓰기 파일에서 exif 메타데이터가 제거되지 않은 경우에 발생할 수 있다. exiftool command exiftool -Comment="\">" xss_comment_exif_metadata_double_quot..

2023. 2. 2.