嗯,用户让我帮忙总结一篇文章的内容,控制在100字以内,而且不需要特定的开头。我得先仔细看看这篇文章讲了什么。 文章看起来是关于CTF挑战的,详细描述了攻击者如何通过一系列步骤入侵系统。首先,攻击者尝试常见的登录凭证,但失败了。接着测试SQL注入,也没成功。然后转向目录爆破,使用ffuf工具找到了/credentials.txt文件,获取了登录凭证。 登录后进入系统,发现提示指向管理员面板。攻击者通过改变/profile/{id}中的id参数,利用IDOR漏洞访问了管理员面板,并更改密码成功登录。 最后,在管理员面板中发现SQL注入漏洞,使用sqlmap工具提取了数据库信息和root flag。 现在要总结这些步骤,控制在100字以内。需要涵盖主要的攻击方法:目录爆破、IDOR、SQL注入以及最终的目标获取。 可能的结构:文章描述了一次CTF挑战中的攻击过程,包括目录爆破获取凭证、利用IDOR访问管理员面板、SQL注入提取数据,并最终获得root权限。 检查字数是否合适,并确保没有使用禁止的开头语句。 </think> 文章描述了一次CTF挑战中的攻击过程:通过目录爆破找到隐藏路径获取登录凭证;利用IDOR漏洞进入管理员面板并更改密码;最后通过SQL注入漏洞提取数据库信息并获得root权限。 2026-3-15 15:48:52 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏
Once you open the link, you will redirect to a login page with /login endpoint. As a hacker the first thing will come in our mind to check for common credentials like admin:admin, admin:password etc… but in our case none of this things works. Now the 2nd thing will come in our mind is to test for SQLI and we will try to exploit it using different methods of SQLI. But still nothing will going to work..!😶 Now tell me what the next thing you will try?🤔 what you are thinking write in comment ✍
Exactly If you think of doing fuzzing/directory bruteforce then you are on the right track 🛣 You can use any tool for fuzzing like dirb, gobuster, ffuf anyone I specifically using ffuf. The simple command I have used:
ffuf -u https://ctf-lab-production.up.railway.app/FUZZ -w /home/dishant/Downloads/common.txtHere I have used a common.txt wordlist you can use whatever you like.
As we can see it successfully identified a path called /credentials.txt
Press enter or click to view image in full size
Now visit the path and grab the credentials 😉 and use it to login to the website. After login you will see this page:
Press enter or click to view image in full size
Tell me did you got the hint? in comments… Yes you are right 👍 Admin is the main person who manages all the things 👨💼 Now think how you can get to the admin panel? Which bugs you can try?
Get cryptoshant🇮🇳’s stories in your inbox
Join Medium for free to get updates from this writer.
Did you got anything here in this below image?
Press enter or click to view image in full size
Nice you are correct 👏 Here you can test for IDOR. Now you can intercept the request in burp and test for IDOR but yeah you can test it without even opening the burp. Just try to change {id} parameter in the /profile/{id} and find where the admin sleeps 😴 After finding admin sapce you will see this type of interface:
Press enter or click to view image in full size
Now tell me what next thing you can do to access the admin panel?🤔 Don’t you think to use change password functionality. Let’s use it. let’s set new password as a admin 😜after changing the password let’s try to login to the admin panel 🧐After adding email and password you will simply login to the admin panel:
Press enter or click to view image in full size
Did you see user.txt flag 🎌? Just copy it and save it for letter submit.
Now the best part is coming, How to identify SQLI? Ok, hoping you have already tried it and let’s click on users at sidebar menu. Did you see any parameter? No I know that there is no parameter then where you are finding the SQLI?
Press enter or click to view image in full size
So here is the best part just clicking on everything and also capture the requests in burpsuite will be so helpful. If you don’t have burp still you can find it from Developer tools -> Network tab. Open developer tool then go to network tab now just click on 2nd no. page. You will like this:
Press enter or click to view image in full size
Here is the request:
https://ctf-lab-production.up.railway.app/admin/?search=&length=10&start=10Now here you can see multiple parameters which is making request directly to the backend. So it might be vulnerable…! Let me tell you in this request the “search” parameter is vulnerable to sqli. Here now you can try multiple approach to test it. You can test manually, using sqlmap or also using ghauri tool. It is so easy and sometimes fast also. So here is the sqlmap command which will test and you can use it as you wish.
The following command is basically test “search” parameter and perform basic enumeration things like what database website is using, it’s version informations, worked payload, etc.
sqlmap -u "https://ctf-lab-production.up.railway.app/admin/?search=&length=10&start=10" \
-p search \
--dbs \
--batch \
--cookie="player_token=__Replace__; session=__Replace__"To Enumerate the list of tables in the site we make simple modification:
sqlmap -u "https://ctf-lab-production.up.railway.app/admin/?search=&length=10&start=10" \
-p search \
--tables \
--batch \
--cookie="player_token=__Replace__; session=__Replace__"To dump the specific table we use following command:
sqlmap -u "https://ctf-lab-production.up.railway.app/admin/?search=&length=10&start=10" \
-p search \
-T table_name \
--batch \
--cookie="player_token=__Replace__; session=__Replace__" \
--dump \My little suggestion to my reader is before running each command blindly just do little efforts to understand why each command is written and what is the meaning of it? — bcz I have made this mistake when I first know about sqlmap so I hope you don’t repeat it.
Press enter or click to view image in full size
That’s it..! Easy I think… Let me know in comment in which category from hard — medium — easy, you will put this ctf challenge? Hope you learn something new from this challenge. I will see you in next amazing writeup till then have fun 😊
bye 👋
如有侵权请联系:admin#unsafe.sh