Hacking Series Part 18

Challenge: Phonebook

97108
3 min readMar 15, 2021

--

Category: web security

We are given an instance of a website that requires us to login when we navigate to it. There is a message indicating that there is a new update with how users can login and it is posted by someone who is likely an admin of the website.

After scanning the website, I first noticed that there is a reflected XSS vulnerability that exists with the message parameter in the URL leading to the login page. You could enter an img tag with JavaScript in the onerror attribute and the JavaScript would execute, which means there is little to no filtering. After several attempts, I realized that I could not exploit this in a meaningful way so I had to look for other options.

The real vulnerability exists in the way that the login credentials are processed in the back end and in the database. Since we know that there is likely a user named “Reese” that has an account, I entered variations of the name as the username. Since we do not know the password, I entered “*” in for the password.

An asterisk is sometimes used as a wildcard that returns all entries in a database/filesystem. For example, if I want to get a list of usernames that start with “A” but end with anything else, I could enter “A*” into my query for usernames. In this case, if I want to return all passwords associated with the username “reese”, I would enter “reese” as the username and “*” as the password.

This worked and brought me to another page that implements a basic search functionality for a phone book.

In the search query I entered a space character, which returned the results above. After looking through the data, I found nothing interesting in particular, which meant that the flag was probably the real password to the username “reese”.

To figure out the real password, you can input a single letter of the alphabet then append “*” to the end of it. If you are successfully logged in, that means the letter you chose was the first letter of the real password. If you are not logged in, then you can choose another letter and try again…

--

--

97108

Written by 97108

316 Followers

I like to make things.

More from 97108

See all from 97108

Lists

A phone with a tweet on it describing a deepfake video of the Ukrainian president, with a labeled fake image in the background

AI Regulation

6 stories138 saves

ChatGPT prompts

24 stories454 saves

ChatGPT

21 stories179 saves

Generative AI Recommended Reading

52 stories272 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams