Hack This Site: Realistic Mission 2
May 22, 2014Freedom of Speech
User, Destroyfascism, is asking us to obtain admin access. When we check back at the main page, we see that a post organizing a racist meet-up is presented by WhiteKing. Seems like he has authority and probably admin access.
An example of a SQL vulnerability is when the website is comparing values within a database to log a user in. This is exactly what is happening on this website. Also, the submit button says "query" which is often a sign of SQL.
Also another way to tell if you have a possible SQL vulnerability is to put your known username into the field, and then just put a single quote (') into the password field. If it gives you back an error, chances are it can be injected with your own SQL.
Let's type his username back into our respective field on his update.php page. Now, there is a classic security exercise and commonly used method of putting an operator through a form field which gets processed by the server. The form will send a query when you hit submit, and it passes it like:
SELECT * FROM users WHERE username='$_GET[username]' AND password='$_GET[password]'
This query checks to make sure the corresponding values are both matching (AND operator).
We have a correct username. So it processes that correctly, but when we get to the password part of the query we have nothing. However there is a way to make that irrelevant. We can add the operator OR. With the OR operator we can use an expression like 'a'='a or '1'='1 to make the query say:
SELECT * FROM users WHERE username='$_GET[username]' AND password='$_GET[password]="'OR '1' = '1'
What it does is continues the query instead of actually ending the password query and it adds "OR if '1'='1" 1 will always = 1 so you will always get in. MAKE SURE you don't put a single quote after the ='1 because it will prematurely end the query and give you an error.
Anyway, once you hit submit you're done!
0 comments