mkfs.ntfs/webbed-site
1
0
Fork 0
forked from nat/webbed-site
Code Pull Requests Activity

apply new style to all non-blog files barring site-info.html

Browse Source
This commit is contained in:
gnat
2024-07-27 12:31:33 -07:00
parent a59e0d8adb
commit 9bfa93d8c6
18 changed files with 686 additions and 525 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
html/albert-hack-1.html
View File

@ -1,27 +1,31 @@
<html>
<head>
<title>Not a fan of IT</title>
<title>Albert</title>
<style>
$[cat style.css]
</style>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
$[python3 -c 'import utils; print(utils.parse_file("html/header.html"))' | sed 's/\$PREV_URL\$/"{prev}"/']
<div>
<h1>Friend hacked my website lol</h1>
<p>But how?</p>
<hr>
<p>
Prior to me rewriting the backend of my website, there was a bug that would allow a bash command in a comment inside $[echo \$\[\]] and not containing &lt; or &rt; to be executed if you querried the url /html/%2e%2e/files/posts-to-homepage/{post file}.
This was due to any url beginning with '/html/' being unconditionally put through parse_file(), which generates static content from the embedded bash in the html (see <a href='/html/site-info.html'></a>).
In addition to this, the source code of the server could be attained via a similar method, requesting the path of the file, but with /files/ or /html/ in front of it, followed by %2e%2e.
</p>
<p>
Albert was able to exploit this by first getting the source code of the webserver via the second method discussed above, examining it, and deducing the first vulnerability mentioned above.
Upon discovering the RCE available via the comment untrusted command evaluation, they were able to add an ssh key to my server and thus gain a shell.
Amazingly, at the same time that they did this, my other friend's girlfriend (appearing in the comments as gexfan) was halfheartedly trying to mess with my site.
This ended with around 15 messages on discord telling me my site had been hacked, only around two of which were from albert.
</p>
</div>
<main>
<section>
<h1>Friend hacked my website lol</h1>
<p>But how?</p>
</section>
<section>
<p>
Prior to me rewriting the backend of my website, there was a bug that would allow a bash command in a comment inside $[echo \$\[\]] and not containing &lt; or &rt; to be executed if you querried the url /html/%2e%2e/files/posts-to-homepage/{post file}.
This was due to any url beginning with '/html/' being unconditionally put through parse_file(), which generates static content from the embedded bash in the html (see <a href='/html/site-info.html'></a>).
In addition to this, the source code of the server could be attained via a similar method, requesting the path of the file, but with /files/ or /html/ in front of it, followed by %2e%2e.
</p>
<p>
Albert was able to exploit this by first getting the source code of the webserver via the second method discussed above, examining it, and deducing the first vulnerability mentioned above.
Upon discovering the RCE available via the comment untrusted command evaluation, they were able to add an ssh key to my server and thus gain a shell.
Amazingly, at the same time that they did this, my other friend's girlfriend (appearing in the comments as gexfan) was halfheartedly trying to mess with my site.
This ended with around 15 messages on discord telling me my site had been hacked, only around two of which were from albert.
</p>
</section>
</main>
</body>
</html>