A1 - Remotely perform the SQLi

[ball4me]

I'm trying to exploit the SQLi remotely but when I perform the dump after successfully exploit the vulnerability, it returns me no entries in the 'Users' table. But if I exploit it locally, it returns me the entries properly.
I also noticed that I'm not able to register an user in a remote access via web browser, when I call the registration page, I got:

• "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:3000/register. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)."
  Are there any configs that I have to change to get to use the LAB remotely?

[rafaveira3]

Hey, @ball4me ! Would you mind posting here the request you are having trouble? I can add some echo configuration to enable CORS, but I am not sure yet if that would help in your situation.

[ball4me]

@rafaveira3 thanks for the quick response.

POST /register HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:3000/
Content-Type: application/json
Content-Length: 48
Connection: keep-alive

{"user":"asdasd","pass":"asd","passcheck":"asd"}

I only get to add the user if I make this request at localhost.
Dumping entries from the db either... only works at localhost.

[rafaveira3]

Hmm, thanks for the info, @ball4me

Unfortunately, I am not able to reproduce your issue here. Would you mind checking if this new branch fixes your problem? If so, we can merge it to master via #254 ! 🙃

[ball4me]

Nope, didn't work @rafaveira3 .
I managed to get the registration and login functions working by setting my server address in the app/view/form.html replacing:
XHR.open('POST', '//localhost:3000/login');
for
XHR.open('POST', '//myserveraddress:3000/login');

Now these 2 functions are working, but the dump still returns empty when done remotely. SQLmap log:

Localhost:
Database: a1db Table: Users [2 entries]
Remote:
Database: a1db Table: Users [0 entries]

[rafaveira3]

Hmm, your issue is probably related to how SQLmap is communicating with your DB. I am assuming that after registering and logging in you are able to view this entry manually in MySQL server via CLI.

Have you tried exploiting this vulnerability using manual queries besides using SQLmap? I can't think of a payload at this moment but I plan to work on this in the near future (#81). 🙃

[ball4me]

I was able to get the entries from the database by adding the parameter "--fresh-queries" to SQLmap.
Thanks for helping.

[rafaveira3]

Not a problem! Feel free to open any other issues if needed. 😃