Chicago American Nazi Party – Realistic Mission 2
On visiting the above like you will see the mission text.
You need to gain access to their admin page in order to complete the mission. When you visit the link to their website you will see there isn’t a lot going on. Just a page.
Not for the easily offended, however, with no links to go anywhere it’s not immediately apparent what we can do here. All always “Right click > View Source”
On reviewing the site code you will see this
As you will see, there seems to be a hidden page. Wonderful. Lets go there.
A standard login prompt. Testing the account for standard admin logins is useless as you are met with a lovely message I won’t be posting here, however, we don’t always need user credentials. I suspect this could be vulnerable to SQL Injection.
Good old ‘ OR 1=1 — works in this instance. You are redirected to the HTS page where you are told you have completed the mission. What? So I can’t deface the website? Oh well.
Why did this work?
Quite often web admins hide snippets of useful data in the comments of HTML code, like web pages not linked to on the site itself. Always view source. Also the simple SQL Injection statement pretty much bypasses any need for user credentials because it’s running a similar SQL statement to this in the background.
SELECT * FROM users WHERE username=’ ‘ and password=’ ‘;
Our ‘ OR 1=1 — addition changes the scope of this statement.
SELECT * FROM users WHERE username=’ ‘ OR 1=1 — ;
The double dashes at the end of the injected statement comments out the rest of the script, negating the need for a password. It is essentially saying SELECT * FROM the users table where 1=1. Invariably logging you in as the admin account as this is the first entry in an SQL DB.