Over at Vulnhub.com you will find a large selection of vulnerable Virtual Machines to download and play around with. By far the safest way to test your newly learned skills. For the next few days I’ll be working on the VM created by HollyGraceful.
The link to the VM is here
Seattle Sounds website
There are several links on the site upon opening. ‘Vinyl’ takes you to a collection of old records and ‘Clothing’ takes you to a small collection of T-Shirts. The ‘My Account’ link takes you to the page in the image above. You are presented with some helpful information.
You must login to the site using an email address. Lets try it out for feedback.
Username=’firstname.lastname@example.org’ & password=’test’
No Dice! Invalid username. Surely there must be a way of finding a username? Lets navigate around the website links. The ‘Blogs’ link looks interesting.
Hey! by Admin
Welcome to our site!
Instant curiosity leads me to click on anything that looks like a link. On hovering the word ‘Admin’ the cursor changes revealing a nice bit of information.
Given that on our login screen it specifies that an email address is to be used to login, I’d say this was a good find. Lets give it a try.
One particular piece of information is missing. The password. However, previously when checking for SQL errors in the sites URL I recieved the error below.
It lead me to believe that I could use some sort of SQL Injection command on the site. Why not on the login screen?
Entering ‘ OR 1=1 — in the password box bypasses the need for the password as you are telling the site to give you record for ‘email@example.com’ The resulting SQL statement passed to the DB would look something like this.
SELECT FROM * WHERE user=’admin’ AND password=’ ‘ OR 1=1 —
It makes more sense when you see the statement. We know the username so that is satisfied, however, the DB has two things to do after that. Check if the password is BLANK OR just return 1=1 which means anything true. I.E the password in the DB.
SUCCESS!! It worked and we’re logged in. We can submit a new post to the site, and change the password and lock the Admin out of the site.
Yes this is beginner stuff. However, it does help you understand how SQL Statements and queries are formed from simple inputs. What actually happens in the background when you hit ‘Log In’ Understanding the theory will go very far.
In the next post I’ll be using Burpsuite and a password dictionary to brute force the login page.
I just want to say thanks to Vulnhub for hosting this VM and to HollyGraceful for creating the VM. Visit her website here