dexter@aeron7.com

Sql Injection & Cgl Vulnerablity

Step 1: Find an admin account

Find pages

To find an access, we try many injections in the form fields (GET method is easier). We can see that the news reader (news.cgi) accepts one parameter named “story”. By injecting a dot and null byte (.%00), we can see this:

1

Once ordered, here is the information we get this following structure of the main web directory. A hacker must observe the web directories well to infiltrate the website and have to search well for pages containing Form’s vulnerability with SQL injection, if it contains PERL script which is modifiable and most which server gives an upload option generally have to give permission to the directory such that it is writable unless how can we upload the data. Now we have to check that what other things are there in the directory:

Text files
1.news2.news3.news4.news

news.txt

people.txt

robots.txt

Web pages
about.htmlindex.htmlindex.phplogin.html
Cgi scripts
adserver.cgiindex.cgimoderator.cginews.cgi

people.cgi

search.cgi

Htaccess
.htaccess.htaccess.bak
Javascripts
ad.jshead.js
Directories
ad_pool/classes/errors/finance/

include/

mail/

partners/

yweb/

Images
blank.gifblank.pngfinance-active.pngfinance.png

login.png

logo.ico

mail-active.png

mail.png

news-active.png

news.png

people.png

search-active.png

search-button.png

search.png

signup.png

tile.png

yweb-active.png

yweb.png

In addition, source code shows additional information:
2

administrator.cgiblank-active.png

index.txt

logo.png

people.html

people-active.png

strict.pm

webpermit/

Read source code of Perl scripts


1

 

 

 

 

 

 

 

We are going to use the discovered vulnerability in the news reader (news.cgi?story=) to read moderator.cgi. Goto http://www.hackthissite.org/missions/realistic/14/news.cgi?story=moderator.cgi%00. You
2

 

 

 

 

 

 

 

should see this:

By scrolling down, we see this test. If the function “isadmin” is not protected, the string “isadmin” should enable to grant an admin access.

Go to that

page: http://www.hackthissite.org/missions/realistic/14/moderator.cgi1

Login as admin

From the welcome page, access the authentication form:

http://www.hackthissite.org/missions/realistic/14/login.html

And log in using following credentials:

  • Username: webguy
  • Password: reallyreallylongpasswordthatisveryveryveryhardtoguessorcrack

That works! Mission completed

About the Author

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

Related Posts

Basic Mission 1   I can call you a pretty dumb as per you are now viewing the walkthrough for...

Basic Mission 2   I can again call you a pretty dumb as per you are now again viewing the walk...

Basic Mission 3   Have a look at the source code of that page and have you noticed the form section?...

One Comment
 
  1. jhhh April 8, 2017 at 11:22 pm Reply

    what do you mean by the function isadmin not being protected? why would that string make the function return a true value? im so confused.

Leave a Reply