当前位置:网站首页>Solution to the problem of breakthrough in OWASP juice shop shooting range

Solution to the problem of breakthrough in OWASP juice shop shooting range

2022-07-06 07:07:00 smarthome_ man

1、 Find hidden scoreboard
/#/score-board Will jump directly to the scoreboard
2、 Log in to the administrator account
Here you can try to use sql Enter the administrator interface by injecting
1、 No account number , No password to enter
’ or 0=0 –
 Insert picture description here

2、 Have an account , No password to enter 
	**[email protected]'--**

 Insert picture description here 3、xss attack
Enter in the search box <iframe src=“javascript:alert(xss)”>

 Insert picture description here
4、 Log in to the administrator interface , And don't report mistakes
stay url Input administration that will do
 Insert picture description here  Insert picture description here

5、 To the store ⼀ A devastating sporadic feedback
Modify page code , Delete disabled that will do
 Insert picture description here
 Insert picture description here 6、 Register as ⽤ Household
1. Use fiddler The packet capturing tool captures the registered user's packet
2. Catch /api/Users Submit a request
3. add to “role”:“admin” jurisdiction
 Insert picture description here  Insert picture description here 7、 Delete all 5 Star customer feedback

Enter the hidden administrator interface and enter /administration
Delete the five-star comment
 Insert picture description here 8、 Make your order rich
utilize fiddler Tools , Grab the bag of goods in the shopping cart , Change the quantity of goods to a negative number , Send a request , Just finish shopping
 Insert picture description here  Insert picture description here  Insert picture description here 9、 See more ⽤ Household shopping cart
1、 utilize fiddler Caught tools , Grab the shopping cart id, Then put the shopping cart id Change to other users id, Send a request
 Insert picture description here  Insert picture description here 10、 Find the picture of the cat ⽚ Concurrent display ⽰
 Insert picture description here  Insert picture description here
 Insert picture description here
11、 send ⽤ The administrator's ⽤ Login with user credentials , Violent ⼒ Crack

12、 With other ⽤ Account name release ⼀ Some feedback
adopt fiddler Caught tools , Catch the feedback package , Then modify the user id, Just send
 Insert picture description here
 Insert picture description here 13、 With other ⽤ Household ⾝ Published product reviews or editors
whatever ⽤ Existing comments of users
adopt fiddler Caught tools , Catch the bag of comments , Then modify the user name , Just send

 Insert picture description here  Insert picture description here
14、 Frequent sending Can I have a coupon code? Get excellent
benefit !
 Insert picture description here Brute force cracking

15、 Uploading is not .pdf or .zip Extended name ⽂ Pieces of ,
xml
Find... In the front-end code
 Insert picture description here You can modify it.
 Insert picture description here 16、 Upload ⼤ On 100 kB Of ⽂ Pieces of , Other types

17、Nosql notes ⼊- Update multiple product reviews at the same time
18、 modify bender⽤ The password of the user - Don't make ⽤ notes ⼊ Of ⽅
type
1、 Login with universal password bender user
2、 Use the packet capture tool to grab the packet that changes the password
3、 Delete the original password url And send it
 Insert picture description here  Insert picture description here

19、 Put other products ⼊ another ⼀ individual ⽤ Household shopping basket
20、 change OWASP SSL⾼ Level evidence ⼯ have (O-Saft) in
Of the link href by https://owasp.slack.com

原网站

版权声明
本文为[smarthome_ man]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202131944084881.html