Welcome to Cycubix Docs

Challenges | Without password | Cycubix Docs

Can you login as Larry?

Solution

Intercept the request with ZAP or Burp.

If we modified the password we will get a responde saying there is a Java SQL Exception.

We will see from the Java SQL exception that we have a SQL Injection. We will try to change the password accordingly.
We can use the 'OR' statement to manipulate and have a true return, therefore bypassing authentication checks.

PreviousChallenges | Admin Lost Password | Cycubix Docs NextChallenges | Admin Password Reset | Cycubix Docs

Last updated 1 year ago

Was this helpful?