vulnerability
SQL injection — allows an attacker to interfere with the queries that an application makes to its database.
to test against SQL injection i wrote
‘ OR 1=1;- -
because when i send username, backend starts to compare it to existing usernames. if it uses sql as a database then statement would look something like this:
SELECT username FROM user WHERE username = ' + username + ';with our input in it it would look like this:
SELECT username FROM user WHERE username = ' + 'OR 1=1;-- + ';command
‘OR 1=1;- -
means if previous statement was false then do the next statement which in our case is 1=1 which is true.end the statement with ; and then to ensure the ' does not raise a syntax error append query the SQL comment marker -- that would make SQL Server ignore the rest of the statement.
as password put whatever you want and press login.
we bypassed it.
now it’s time to find natasha drew. but she isn’t in our students list.
let’s take a look at source code:
every student has their own data id. from outside it looks like base64. lets try if we can convert it.
click here to go to the link.
It works!!!
now let’s take a look at js code.
we come across file app.min.js . to make it’s code readable i used https://beautifier.io/
in setups links function we change window location to /update-student/{student dataset id}
replace {student dataset id} with shara whitehouses dataset id and go to that page.
now convert Natasha_Drew string to base64 using https://www.dcode.fr/base-64-encoding and replace sahara whitehouses dataset id with it.
now change every grade to A
and click update record
CONGRATS!! WE GOT THE FLAG!!!
