There is a login page and our goal is to extract all the usernames and passwords from the database.
If you try injecting the login form, none of the injections would work. But there was this text called “No account?” when you click it you get this message.
After logging with demo:demo we are taken to “proxypanel.jsp” which displays source, target and date.
Let’s analyze this using Burp. At first when we login this is POST request. Notice that this request is being made to “proxy.jsp” page.
user=demo&amp;pass=demo&amp;login=1 &amp;token=17312256995467290477108424856116888064446348101932685808552243140 &amp;asd=Login
Too bad the web app is using tokens, this means we cannot repeat the request to experiment.
After forwarding the request another GET request is being made to “proxypanel.jsp” the actual page where we land. In here the cookie values are being passed.
Let’s have a look at the cookies.
There are two session cookies, JESSIONID and userid. Let’s mutate the userid parameter and check the output. userid=71934”\\;
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''''' at line 1
After counting the columns I got 3 columns. You cannot just inject in here, because there is a filter. From what I noticed keywords such as union, select and spaces are being filtered. For bypassing spaces I just used comments /**/ and for bypassing keywords such as union and select I used UNunionION and SELselectECT. However when I tried giving 1,2,3 I get the error “The used SELECT statements have a different number of columns”
Our target is to dump the usernames and passwords, but the userid should be column name from a different table. I just guessed there should be table as “users” and tried this query.
w00t! Here we go 🙂
Thanks for reading.