Light
Welcome to the Light database application! - by hadrian3689
Last updated
Welcome to the Light database application! - by hadrian3689
Last updated
The following post by 0xb0b is licensed under CC BY 4.0
For this challenge, we will skip the Nmap scan. The room description already asks us to connect to port 1337. We also get a user to start with. The service on 1337 could be the aforementioned database application called Light.
Since this is a database challenge, we try the simplest SQL Injection payload '. And we get an error returned. The service might be vulnerable to SQL Injection. The error message tells us about an unrecognized token in ''' LIMIT 30". We may have broken the enclosed string by ', which led to this error.
Now, let's try to get more information using a UNION SELECT injection. But it errors with our comment we used.
Alternately, we use # to comment, and do not receive a similar error as before. But there are words that get blocked. It might be UNION and SELECT.
We switch between capitalized and non capitalized characters. But still get an error. Might be the SELECT statement too.
After applying the same technique to the SELECT statement, we now get a different error. The token # is not recognized.
We URL encode the # character, but that does not help either. But we receive another error regarding the ' character.
So maybe there is a statement like this, that gets broken with inserting a ':
Leading to:
We close our statement with another ', and now have a successful UNION based injection.
Next, we query for the version, to determine which DBMS is used to craft the payloads to retreive the data from the database. It is a SQLite Database version 3.31.1.
Next we query from the sqlite_master to get the database structure. There is a admintable and a usertable.
We query username and password from the usertable, but do not find the asked information:
Next, we query for the username and password from the admintable and do find the username, password and the asked flag.
