Challenges | Without password | Cycubix Docs
PreviousChallenges | Admin Lost Password | Cycubix DocsNextChallenges | Admin Password Reset | Cycubix Docs
Last updated
Was this helpful?
Last updated
Was this helpful?
Can you login as Larry?
Solution
Intercept the request with ZAP or Burp.
If we modified the password we will get a responde saying there is a Java SQL Exception.
We will see from the Java SQL exception that we have a SQL Injection. We will try to change the password accordingly.
We can use the 'OR' statement to manipulate and have a true return, therefore bypassing authentication checks.
