|
CRIP EATIN BREAD posted:username: admin ' doesn't work in the password field, only the username field CRIP EATIN BREAD posted:' OR 1=(SELECT name FROM sqlite_master WHERE type='table'); wrong username suffix posted:does expanding the backtrace give you more of the surrounding code ? i can click on any of those statements and it gives me code. first statement gives me: code:
line 91 is stmt = SQLite3::Statement.new( self, sql )
|
# ? Feb 3, 2016 02:07 |
|
|
# ? Apr 27, 2024 05:48 |
|
you should just start a twitch stream or something
|
# ? Feb 3, 2016 02:09 |
|
treasure bear posted:admin' OR 1=1 time For the username field you will actually have to add the username.
|
# ? Feb 3, 2016 02:11 |
|
/usr/src/app/web.rc please expand that
|
# ? Feb 3, 2016 02:11 |
|
I could but 90% of it would be me umming and erring and I dont think that'd be entertaining unless someone wanted to get on a call with me to explain poo poo
|
# ? Feb 3, 2016 02:11 |
|
expand the lines from web.rb, that should be the stuff we need to hack
|
# ? Feb 3, 2016 02:12 |
|
yeah gently caress sinatra poo poo also there was some poo poo in /home/pi/Documents post that code as well
|
# ? Feb 3, 2016 02:14 |
|
OSI bean dip posted:/usr/src/app/web.rc MrMoo posted:For the username field you will actually have to add the username. did that, got 1 line of code back in the backtrace code:
believe me when I say that I'm actually trying commands in between posting to see if I can figure out a step before posting i think the next step is to somehow either drop the table, or find a way to print the password or see if we can print other users i may be incredibly wrong though my syntax is probably all wrong
|
# ? Feb 3, 2016 02:21 |
|
I have no security expertise, or anything to add to this thread really, I just wanted to say this is both an extremely pro thread and an even more pro yosmas gift. voted
|
# ? Feb 3, 2016 02:23 |
|
vodkat posted:I have no security expertise, or anything to add to this thread really, I just wanted to say this is both an extremely pro thread and an even more pro yosmas gift. agreed. this is actually teaching me something, which is probably the best thing wish i was smarter so i could figure more things out by myself though
|
# ? Feb 3, 2016 02:25 |
|
for the username, try: ' OR 1=1; --
|
# ? Feb 3, 2016 02:25 |
|
we might be able to just make up our own user by injecting the appropriate sql... let's see.. maybe something like username: ' UNION SELECT 1 as id, 'admin' as username, '$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa' as password_digest -- password: my password e: this should make the final sql something like "SELECT id, username, password_digest FROM users WHERE username='' UNION SELECT 1 as id, 'admin' as username, '$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa' as password_digest -- '" we start with "'" to close the string, inject an extra row with union, and then start a comment with "--" to discard the original ending "'" i tested it in the sqlite3 cli code:
suffix fucked around with this message at 02:32 on Feb 3, 2016 |
# ? Feb 3, 2016 02:27 |
|
password:code:
CRIP EATIN BREAD fucked around with this message at 02:33 on Feb 3, 2016 |
# ? Feb 3, 2016 02:29 |
|
you probably don't want to risk messing up the existing data if that can be avoided i think sqlite let's you use multiple queries just separated by semicolons edit: yeah
|
# ? Feb 3, 2016 02:30 |
|
treasure bear posted:you probably don't want to risk messing up the existing data if that can be avoided probably a good idea
|
# ? Feb 3, 2016 02:31 |
|
something happened something happened
|
# ? Feb 3, 2016 02:33 |
|
hope you loving unlatched it
|
# ? Feb 3, 2016 02:33 |
|
or bricked it
|
# ? Feb 3, 2016 02:34 |
|
CRIP EATIN BREAD posted:hope you loving unlatched it hope the front latch was shut and the servo burnt out
|
# ? Feb 3, 2016 02:34 |
|
|
# ? Feb 3, 2016 02:34 |
|
|
# ? Feb 3, 2016 02:34 |
|
Migishu posted:something happened
|
# ? Feb 3, 2016 02:35 |
|
YES! what code did it?
|
# ? Feb 3, 2016 02:35 |
|
CRIP EATIN BREAD posted:password: i don't think that will work, since the documentation at https://github.com/sparklemotion/sqlite3-ruby says quote:By contrast, the other means of executing queries will only execute the first statement in the string, ignoring all subsequent statements you could do it in a subquery though
|
# ? Feb 3, 2016 02:35 |
|
WE GOT SOME STICKERS AND SOME BOOZE i'm the purr programmer sticker thank you once again cocoa crispies, this was a bomb rear end gift. now to figure out how to lock it out CRIP EATIN BREAD posted:YES! code:
|
# ? Feb 3, 2016 03:03 |
|
Migishu posted:WE GOT SOME STICKERS ... is that a netapp "rectal use only" sticker? wat
|
# ? Feb 3, 2016 03:07 |
|
Also if you want to play around with it http://pb.bf1c.us/
|
# ? Feb 3, 2016 03:11 |
|
source: https://github.com/bkerley/puzzlebox/Migishu posted:now to figure out how to lock it out ssh pi@10.219.219.1 password: ErpafRoan backing out the configuration changes in https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software will help you get it on your own wifi disable hostapd and isc-dhcp-server services in systemd, fix /etc/network/interfaces , and i think it's a wpa-supplicant file to put your wifi info in e: also the pi is just velcro'd in, but most of the other stuff is glued on
|
# ? Feb 3, 2016 03:14 |
|
Cocoa Crispies posted:source: https://github.com/bkerley/puzzlebox/ you're awesome- this is cool as poo poo
|
# ? Feb 3, 2016 03:21 |
|
this thread owned goldmine
|
# ? Feb 3, 2016 03:30 |
|
we did it migishu ur a true hacker now
|
# ? Feb 3, 2016 03:46 |
|
good present, good thread, well done everyone
|
# ? Feb 3, 2016 03:48 |
|
i'm probably going to keep it mostly as it is. going to find a way to code in the lock sequence in the admin page and keep stuff in it this was cool as hell and i learned something, and i have that yearning to learn more
|
# ? Feb 3, 2016 03:54 |
|
non-prepared sql statements ftw
|
# ? Feb 3, 2016 04:08 |
|
CRIP EATIN BREAD posted:non-prepared sql statements ftw fun fact: binding parameters in the sqlite3 c api is way easier than concatenating strings together in c
|
# ? Feb 3, 2016 04:12 |
|
this was great
|
# ? Feb 3, 2016 04:18 |
|
I don't know anything about programming but wanted to say that this was a freaking rad gift.
|
# ? Feb 3, 2016 04:30 |
|
Cocoa Crispies posted:fun fact: binding parameters in the sqlite3 c api is way easier than concatenating strings together in c yeah the sqlite3 api is really good. i ported some poo poo for it on an ancient (re: early 1990's codebase) and i ended doing a lot of work in the sqlite api because it made poo poo so much easier/safer
|
# ? Feb 3, 2016 04:33 |
|
CRIP EATIN BREAD posted:this thread owned
|
# ? Feb 3, 2016 04:42 |
|
|
# ? Apr 27, 2024 05:48 |
|
good thread and gift am real jealous!
|
# ? Feb 3, 2016 06:30 |