tom/darkly
1
0
Fork 0
mirror of https://github.com/tmoron/darkly.git synced 2025-09-27 12:48:35 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
9ec822252921d3eb133f1653d751a290a5f84f00
darkly/Members_sql_injection
History
RedShip 30b2ba0738 + | Some readme flags
2025-04-08 17:18:25 +02:00
..
flag
+ | Some readme flags
2025-04-08 17:18:25 +02:00
README.md
+ | Some readme flags
2025-04-08 17:18:25 +02:00

README.md

SQL Injection to Retrieve the Flag

How We Found It

The vulnerable page was:
http://10.12.248.148/?page=member
It asked for a member ID and displayed the corresponding first name and surname. We guessed that the backend was using a SQL query like:

SELECT firstname, surname FROM users WHERE id = $user_input;

Since the user input wasnt sanitized, we tried injecting:

1 OR 1=1

Which made the WHERE clause always true and listed all users. Thats when we noticed a suspicious user called Get the flag”.

We then injected another query to list all columns in the users table, something like:

1 UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name=CHAR(117, 115, 101, 114, 115)

Here we can use the UNION to show totally different sql result from the hardcoded one in the remote machine. We also needed to add a , NULL because both SELECT of an UNION needs to have the same amount of columns shown.

Among the columns, we found commentaire and countersign. So we targeted the user with firstname='flag' and dumped their commentaire and countersign.

Final SQL Payload:

1 UNION SELECT Commentaire, countersign FROM users WHERE first_name=CHAR(70,108,97,103)

Heres what we got:

  • Commentaire: Decrypt this password -> then lower all the char. Sh256 on it and it's good !

  • Countersign: 5ff9d0165b4f92b14994e5c685cdce28

We followed the instructions, decrypted the password, lowercased it, hashed it with SHA256… and boom: we got the flag.

Utility of It

SQL injection is extremely dangerous in real-world apps. It can let attackers access, modify, or delete database content. In our case, we used it to explore the DB structure and steal sensitive info (the flag), but in the wild, it could mean full data leaks or even remote code execution.

How Can We Patch It

Never trust user input. Always use prepared statements or parameterized queries, and validate the type and format of incoming data. Dont build SQL queries by directly concatenating user-provided values.