webPromedium

PulseDesk — Blind SQL Injection in Password Reset Token Extraction

hackadvisor

Task: PulseDesk support platform with password reset feature; hidden /api/v1/auth/password-policy endpoint uses token in unsanitized SQL LIKE query creating a boolean oracle. Solution: exploit blind SQLi with binary search on UNICODE(SUBSTR(...)) to extract admin's reset token character by character, then reset admin password and access the secret API master key.

$ ls tags/ techniques/

sqlite sqli nodejs express binary_search blind_sqli password_reset boolean_based uuid token_extraction admin_access

binary_search_extractionboolean_based_blind_sqlipassword_reset_token_theftlike_injectionunicode_substr_extraction

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 188 — PulseBoard — Host Header Injection in Password Reset— hackadvisor
[web][Pro]Lab 118 — FlowDesk — Predictable Password Reset Token— hackadvisor
[web][Pro]Lab 226 — LiveDesk — SQL Injection via WebSocket Message Search— hackadvisor
[web][Pro]PulseOps — Insecure Deserialization in Config Import— hackadvisor
[web][Pro]Lab 326 — PulseBoard — NoSQL Injection in Authentication— hackadvisor