![]() Once I tried admin plus my injection, it worked, and I received the flag! Invalid password for "/**/LIMIT/**/1-, please try again!įinally, after a few different attempts, I realized that I needed to provide a username. Commenting out the rest of the query gave back and different error though. When that didn’t work, I thought it was because the closing quote for username was breaking the syntax. First of all, having only injected into SQLite from time to time, this cheatsheet was invaluable.Īfter finally receiving my error message, I knew that I’d have to inject into the username, as the browser was hashing the password before sending it off.įirst, I attempted to inject a blank username, and limit the number of results to 1, to see if I could just login. Now that I knew I probably had SQLite injection, it was time to exploit it. Note that the filter triggered on the spaces, which will come into play later.įinally, I decided to try a double-quote (“) as the username, and found the injection point! Invalid characters detected, please try again When I attempted a full injection, I received back a useful error message finally. Invalid password for admin, please try again! ![]() This too returned a standard error message. Next, I tried a username of “admin” and a single quote (‘) as the password. User-Agent: Mozilla/5.0 (Windows NT 10.0 Win64 圆4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/.100 Safari/537.36Ĭontent-Type: application/x-Unfortunately, this just brought back a standard authentication error. Finding the Injectionįirst, I tried a simple SQL injection, hoping to get something useful back. That said, default/weak credentials didn’t work, so it looked like this would be a potential injection point. I’m not sure if this was found by manual browsing, or a dictionary attack. The consultants portal had an administrative login page at. I’m hoping that I can have Gabe stand it up again for part 2! The Challenge ![]() There was a second stage to this challenge, but I was unable to get it working in time. ![]() In this case, it was slightly different from earlier years, and it actually took me some effort. There was some neat SQLite injection during the most recent EverSec CTF, and I wanted to share my solution.ĭuring the BSides RDU 2018 CTF, I of course found a login page. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |