Click on the link and you’ll be brought to this beautiful website where some Nazi’s are rallying.
When you first enter this website you’ll see two posts.
These two posts hold some similarities in structure. You can see that they both have a bold title followed by a “posted by someUser”, a horizontal rule, then the actual post below.
This tells me that the site is drawing details from a database such a MySQL.
Inspect the site and find the login portal
As usual, right-click and inspect the page!
Then right-click the <body> tag and expand all.
Now, scroll down and skim over the code until you find something that stands out.
Perhaps this “update” link? It has been colored black against a black background! If you highlight the page, you’ll find it hidden!
Hack the login page using SQL Injection
Now that you’ve found the update.php, you’ll be faced with a login form.
Remember earlier, I mentioned this site probably runs on MySQL?
We should try some SQL injection, use the following code in both the username and password boxes:
' or 1=1--
Finally, click submit!
How Login SQLi Works
SQL injection works by exploiting SQL queries involving user input. A simple PHP login form using SQL will look like so:
$username = $_POST['username'];
$password = $_POST['password'];
$query = "select username, password from users where username='$username' and password='$password'";
$result = mysql_query($query);
$rows = mysql_fetch_array($result);
echo "Successful." ;
When a user inputs their username, this passed to the
$query through the
$username value, which is set through the posting form on the webpage.
Now, if a user inputs
' or 1=1--, this selects a username and password from the users database where username is equal to
'' or 1=1, which is always true, and comments out the rest of the query using
--. This will grab the first value from the database, and use this as the login details for the current session.
The first value in a users database is usually the person who created the database: Mr Admin.