(October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...

basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)

In other words:

You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin

If you really want to understand all the logic behind this SQLi, I recommend you to read this 

https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t

Here's the high level SQLi

(October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...

basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)

In other words:

You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin

If you really want to understand all the logic behind this SQLi, I recommend you to read this 

https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t

Here's the high level SQLi

(October 25, 2022, 01:18 AM)pL4sTiC Wrote:

(October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...

basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)

In other words:

You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin

If you really want to understand all the logic behind this SQLi, I recommend you to read this 

https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t

Here's the high level SQLi

did you do the sqli via burp or direct through the webpage? i created an account, grabbed the hash of the known password with sqlmap, then tried your technique but keep getting the "invalid salt" error.  any ideas?

(October 25, 2022, 01:28 AM)HTBContestant Wrote:

(October 25, 2022, 01:18 AM)pL4sTiC Wrote:

(October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...

basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)

In other words:

You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin

If you really want to understand all the logic behind this SQLi, I recommend you to read this 

https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t

Here's the high level SQLi

did you do the sqli via burp or direct through the webpage? i created an account, grabbed the hash of the known password with sqlmap, then tried your technique but keep getting the "invalid salt" error.  any ideas?

Web page should be fine. Just paste it into the username field and write whatever you want in the password field and click "register".
But make sure to leave "admin" where it is in the example to trigger the "duplicate key" and to put your hash where the example says "whatever". If it still doesn't work, you can always restart the docker container.

(October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...

basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)

In other words:

You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin

If you really want to understand all the logic behind this SQLi, I recommend you to read this 

https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t

Here's the high level SQLi

nice