OWASP juice-shop part 3
Follow me through my hacking journey!
TdaShadow
6/17/20261 min read
Welcome back! This is my third post. I am trying to separate challenges into different posts. So If you follow along maybe someone else can learn as well.
Little recap - First we were able to discover the email address of admin@juice-sh.op. We then next used SQL injection in order to bypass authentication and we were granted access as admin. We then performed recon stumbling upon the Customer Feedback link, and successfully left a rating of ZERO stars, which you should not be allowed to do. Whats Next?!
What else can we find in the sidebar? 'Complaint' Hmm, now that could be interesting. Checking the site, we have a customer name(Cannot be changed. Currently logged in as admin.), an input box for a message, and an Invoice option that allows us to upload a file.
Uploading a file makes me wonder what file types can I upload. Lets see if we can upload a text file. But not only any text file! a malicious txt file(Just kidding. Its just a empty text document.) called baddy.txt. 'Forbidden file type. Only PDF, ZIP allowed. Okay lets try creating a zip. *** Didn't solve a challenge, but upload allow the upload of a ZIP file could be dangerous. Something to NOTE.
Wait! Lets look at the request. Content-Type: application/zip. What if we change it to application/txt and change the file within the request? Lets send Request to Repeater and change those fields. HTTP/1.1 204 No Content. No errors! Back to Juice-shop! Success!
You successfully solved a challenge: Upload Type (Upload a file that has no .pdf or .zip extension.)
>Open sidebar
>Visit Complaint link
>Upload file; created baddy.zip > Upload successful
>Edit request for Content-Type: application/zip to Content-Type: application/txt and edit file to in request to baddy.zip to baddy.txt
>Solved Upload Type Challenge