webPromedium

Lab 82 — PixelVault — SQL Injection via User-Agent in Activity Logging

hackadvisor

Task: Photo management platform with activity logging that stores User-Agent header directly in MariaDB via non-parameterized INSERT. Decoy flags in HTML comments mislead scanners. Solution: Time-based blind SQL injection via User-Agent header during login, using IF(condition, SLEEP(), NULL) in the datetime column of the INSERT statement, binary search extraction of flag from app_secrets table.

sqli mysql php header_injection nginx user_agent blind_sqli insert_injection decoy_flag mariadb time_based_blind activity_logging

binary_search_extractiontime_based_blind_sqlisqli_via_user_agent_headerdecoy_flag_avoidanceinsert_statement_injection

$ ls tags/ techniques/

sqli mysql php header_injection nginx user_agent blind_sqli insert_injection decoy_flag mariadb time_based_blind activity_logging

binary_search_extractiontime_based_blind_sqlisqli_via_user_agent_headerdecoy_flag_avoidanceinsert_statement_injection

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub, Discord, or Google to continue. No email required.

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 49 — PixelVault — Stored XSS via Malicious SVG Upload— hackadvisor
[web][Pro]Lab 39 — PixelVault — RCE via ImageMagick Filename Command Injection— hackadvisor
[web][Pro]Lab 314 — PixVault — ExifTool DjVu RCE via Image Upload— hackadvisor
[web][Pro]Lab 202 — WikiVault — AngularJS Client-Side Template Injection (XSS)— hackadvisor
[web][Pro]Lab 233 — PulseAPI — Regex Auth Bypass via Query String Injection— hackadvisor