- Skills: Web
- Difficulty: moderate
Flag0
The second hint suggests a 'perfect union' which I understood as a hint for SQL injection union attack.
I checked for any SQL injection vulnerabilities in all URLs by adding apostrophe(') at the end of each URL. They all returned 404 error so I decided to try with the input for log in. On submitting, I got an SQL error, implying that the login input page was vulnerable to SQL attack.
I wrote an apostrophe (') in the username log in box and submitted, which brought the SQL error. The error revealed that the able were login information is stored is the admins.
I used ' or''=' for both the password and username and got invalid password, meaning that the username is vulnerable but the password is not.
Therefore, I injected the SQL code ' UNION SELECT "xyz" as password FROM admins where ''='';-- in the username column with the password as xyz which logged me in. And through this, I got the flag.
Flag1
Hint 1 was not much helpful but the second one implied that what we might be dealing with are request methods in HTTP. I turned to CURL to help me find the flag. While logged in, I tried to send different request methods to the page with CURL.
Running this in the command line brought the flag. curl -i -X POST http://35.190.155.168/e29da9ad93/page/edit/1
Flag2
Through the hint, I understood that what I needed was to login as an actual user since I had previously logged in through SQL injection. So I went back to the login page to try to obtain information from the database and login with the details shown there.
I decided to use blind SQL injection for this. I decided to use sqlmap for this.
In command line, I wrote the code sqlmap -u http://35.190.155.168/e29da9ad93/login --data "username=a&password=b" -p username --dump and got username as Winston and password as concepcion. Using the two as login credentials, I got the flag.
Top comments (0)