Posted in Hackthissite.org

HTS-Realistic Mission 2

Chicago American Nazi Party – Realistic Mission 2 

https://www.hackthissite.org/playlevel/2/

On visiting the above like you will see the mission text.

blurbRM2

You need to gain access to their admin page in order to complete the mission. When you visit the link to their website you will see there isn’t a lot going on. Just a page.

websiteRM2

Not for the easily offended, however, with no links to go anywhere it’s not immediately apparent what we can do here. All always “Right click > View Source”

On reviewing the site code you will see this

codeRM2

As you will see, there seems to be a hidden page. Wonderful. Lets go there.

login_promptRM2

A standard login prompt. Testing the account for standard admin logins is useless as you are met with a lovely message I won’t be posting here, however, we don’t always need user credentials. I suspect this could be vulnerable to SQL Injection.

SQLi_RM2

Good old ‘ OR 1=1 — works in this instance. You are redirected to the HTS page where you are told you have completed the mission. What? So I can’t deface the website? Oh well.

 

Why did this work?

Quite often web admins hide snippets of useful data in the comments of HTML code, like web pages not linked to on the site itself. Always view source. Also the simple SQL Injection statement pretty much bypasses any need for user credentials because it’s running a similar SQL statement to this in the background.

SELECT * FROM users WHERE username=’ ‘ and password=’ ‘;

Our ‘ OR 1=1 — addition changes the scope of this statement.

SELECT * FROM users WHERE username=’ ‘ OR 1=1 — ; 

The double dashes at the end of the injected statement comments out the rest of the script, negating the need for a password. It is essentially saying SELECT * FROM the users table where 1=1. Invariably logging you in as the admin account as this is the first entry in an SQL DB.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s