Holy Word High School

There are a lot of things going on with this mission and if you have been following my other tutorials you should be all set understanding how to accomplish this mission.

It seems Zach is having an issue with his grades at school and has asked us to help him change them.

The very first thing we do (and I have been saying this since basic 1) is explore each page and view the source of each page.

When I did this I notice that the home page had a blank image link to a page called staff.php

This page brings us to a login page. Now I spent some time trying to find a hole and was unsuccessful. I talked to a friend of mine and he said he guessed the username and password.

Fear not…I will figure it out and when I do I will post how.

Now that we are able to login you notice the following:

Welcome, Mrs. Samantha Miller! Please remember that access to the staff administration area is restricted to the district-supplied ‘holy_teacher’ web browser.

It appears that the page is checking the User-Agent. A user agent is the client application used with a particular network protocol; the phrase is most commonly used in reference to those which access the World Wide Web, but other systems such as SIP use the term user agent to refer to the user’s phone. Web user agents range from web browsers and e-mail clients to search engine crawlers ( “spiders” ), as well as mobile phones, screen readers and braille browsers used by people with disabilities. When Internet users visit a web site, a text string is generally sent to identify the user agent to the server. This forms part of the HTTP request, prefixed with User-Agent: (case does not matter) and typically includes information such as the application name, version, host operating system, and language. Bots, such as web crawlers, often also include a URL and/or e-mail address so that the webmaster can contact the operator of the bot.

To get around this we can use FireFox and an add-on called TamperData. If you have been following along my other examples you should already have this software installed.

Open Tamper Data:

 

And Click start Tamper. Now enter in the username and password. you should get the following dialog box:

 

You want to click on the Tamper button and you should get the following screen:

 

You will notice a User-Agent field. You will have to change this field to:

Keep in mind every time you send a request you will have to change the User-Agent.

Now you are able to log in…Great! On the left hand side you will notice a control panel and the obvious button to click on is “Change Grades” but when you click on the button nothing seems to happen.

But if you read the fine print underneath the button you will see the following message:

When there are roles involved first thing that come to mind are session variables and cookies. So let’s take a look at the cookies first. Sure enough there is a cookie named admin and the value is equal to 0. Looks like a boolean switch so lets change it to 1 to see what happens.

You can do this by using the Firefox Addon Add N Edit Cookies. Again if you have been following my tutorials so far you probably already have this installed. You could also change it via JavaScript Injections.

Bingo…Changing the admin cookie has let us in and now we can change Zach’s grades.

So we click on Zack’s name and another obstacle. We see the following message at the bottom:

Let’s view the source code…

When viewing the source code you will notice that each field has it’s own form and post method.

However you will also notice that the submit button has been commented out. But have no fear we can just build our own url and post it ourselves. First we take:

Then we have to add the grade variable so it should now look like this:

If you do this for each field you should pass this mission.