Hackxor SQL Injection

You can download the complete challenge VM from here. They have provided the online version of first two levels. I was interested in having a look at it. http://cloaknet.csc.kth.se:8080/proxy.jsp

There is a login page and our goal is to extract all the usernames and passwords from the database.

View post on imgur.com

If you try injecting the login form, none of the injections would work. But there was this text called “No account?” when you click it you get this message.

View post on imgur.com

After logging with demo:demo we are taken to “proxypanel.jsp” which displays source, target and date.

View post on imgur.com



Let’s analyze this using Burp. At first when we login this is POST request. Notice that this request is being made to “proxy.jsp” page.

View post on imgur.com

user=demo&pass=demo&login=1
&token=17312256995467290477108424856116888064446348101932685808552243140
&asd=Login

Too bad the web app is using tokens, this means we cannot repeat the request to experiment.

After forwarding the request another GET request is being made to “proxypanel.jsp” the actual page where we land. In here the cookie values are being passed.

View post on imgur.com

Let’s have a look at the cookies.

View post on imgur.com

There are two session cookies, JESSIONID and userid. Let’s mutate the userid parameter and check the output. userid=71934”\\;

View post on imgur.com

Aha!

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL 
server version for the right syntax to use near '''''' at line 1

After counting the columns I got 3 columns. You cannot just inject in here, because there is a filter. From what I noticed keywords such as union, select and spaces are being filtered. For bypassing spaces I just used comments /**/ and for bypassing keywords such as union and select I used UNunionION and SELselectECT. However when I tried giving 1,2,3 I get the error “The used SELECT statements have a different number of columns”

Our target is to dump the usernames and passwords, but the userid should be column name from a different table. I just guessed there should be table as “users” and tried this query.

-71934/**/unUNIONion/**/seSELECTlect/**/*/**/from/**/users

View post on imgur.com

w00t! Here we go 🙂

View post on imgur.com

Thanks for reading.

Advertisements

3 thoughts on “Hackxor SQL Injection

Leave a Reply