Bypassing addslashes() using format string to get SQL Injection | Baby-sql @ HackTheBox

Описание

Baby sql is a Medium difficulty Web challenge from @HackTheBox . In this video we are going to exploit a format string vulnerability in order to bypass the PHP addslashes() function and obtain SQL Injection against the target.

=== Timestamp ===
00:00 Intro
00:44 Source code analysis
01:36 Creating a local copy of the script to debug
02:02 Hosting with PHP the debug page and testing that it works
02:23 Testing the behaviour of the program
02:45 Documenting about the addslashes() PHP function
03:23 Documenting about the vsprintf() PHP function
03:44 Format string 101
04:08 Discovering a format string vulnerability
04:28 Finding a way to bypass addslashes() and evade the query
04:55 Searching a suitable SQL Injection attack
05:31 Failing dumping tables because error-based subquery returns more then 1 row
05:27 Dumping tables, rows and the final flag
06:45 Outro

If you enjoyed the video leave a like and subscribe to my channel!
For writeups in text format or other articles related to Ethical Hacking go to my blog: https://maoutis.github.io/
---
Would you like to support my work? Offer me a virtual coffee :)
https://www.buymeacoffee.com/0xbro

Check out my socials:
Twitter: https://twitter.com/0xbro1
Linkedin: https://www.linkedin.com/in/mattia-0xbro-brollo-b4129614b/