Scribd
Upload
27 views4 pages

CTF Hacking

Uploaded by

mancusomjm
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views4 pages

CTF Hacking

Uploaded by

mancusomjm
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Web Exploitation

Understanding the Challenge


We have been given a Login Page where we need to login into the username jim404
without knowing the password to able to get the flag once successfully logged in.

Exploit
When we try to login into the website using the username jim404 with some random
Password like 'Password@123' or 'Password123', we get the response from the website
'Login Faild. Please try again'
Looking at the source code of the Web page, we can see that there is a poor input validation
check implemented for the input that we are giving as the user into the server

<script>
async function login() {
$("#result").fadeOut("fast");
response = await fetch("/login", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
"username": $("#username").val(),
"password": $("#password").val()
}),
});

data = await response.json();


if (data["error"]) {
$("#result").html('<div class="alert mb-0 alert-danger">' +
data["message"] + '</div>');
$("#result").fadeIn();
} else {
$("#username_value").html(data["username"]);
$("#balance_value").html(data["balance"]);
$("#public_address_value").html(data["public_btc_address"]);
$("#private_key_value").html(data["private_btc_key"]);
$("#login_panel").slideUp();
$("#wallet_panel").slideDown();
}
}
</script>

And because of this, we can try and capture our input in Burpsuite to able to inject some
SQL Queries into the input box for authenticating our self as the user jim404 .

In burpsuite, we can see the username and the Password to be passed in clear text to the
login file which is present in the server's end, send this response to the Repeater, then
send this same request to the server.

Here we can see that in the response section of the repeater, there is the DEBUG Query
being displayed to us, where the username is being passed in the raw format as it was enter
by the user and the Password is undergoing a Hash to be compared to the database.
We can also see that the query is using a single quote ( ' ) for containing our input, so,
append this Query after the user name ' AND '1'='1'; -- (with the space in the end of --
), this will comment out the rest of the code that is being entered and will display everything
related to the user jim404 . Including the Flag.

Video write-ups
Pranava Rao: https://www.youtube.com/watch?v=M0w3-7BQ06Y&t=275s (Cracking ZIP
Files and SQL Injection | METACTF | CyberPranava)

You might also like