Task 21 Answers — Advent of Cyber 2022 [Day 16] Secure Coding | SQLi’s the king, the carolers sing

Open the Link by Adding your Machine IP – http://<Machine-IP>.p.thmlabs.com/

Credentials:

1. What is the value of Flag1?

We can reasonably assume that the website expects an integer id to be sent

To avoid injections, we can convert whatever the user inputs in the id parameter to an integer. So for this purpose, we will be using the intval() function.

This function will take a string and try to convert it into an integer. If no valid integer is found on the string, it will return 0, which is also an integer Let’s Open search-toys.phpand change the Parameters

Change the $_GET['id'] to intval($_GET['id']) Everywhere on the elf.php File

Ans: THM{McCode, Elf McCode}

2. What is the value of Flag2?

First, we will modify our initial query by replacing any parameter with a placeholder indicated with a question mark (?).

This will tell the database we want to run a query that takes two parameters as inputs. The query will then be passed to the mysqli_prepare() function instead of our usual mysqli_query().

mysqli_prepare() will not run the query yet but will indicate to the database to prepare the query with the given syntax. This function will return a prepared statement.

MySQL needs to know the value to put on each placeholder we defined before. So we can use the mysqli_stmt_bind_param() function to attach variables to each placeholder.

This function requires you to send the 2 Function Parameters!!

The first parameter should be a reference to the prepared statement to which to bind the variables.

The second parameter is a string composed of one letter per placeholder to be bound, where letters indicate each variable’s data type. Since we want to pass two strings, we put "ss" in the second parameter, where each “s” represents a string-typed variable. You can also use the letters “i” for integers or “d” for floats

$q = "%".$_GET['q']."%";
$query="select * from toys where name like ? or description like ?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $q, $q);
mysqli_stmt_execute($stmt);
$toys_rs=mysqli_stmt_get_result($stmt);

Ans: THM{KodeNRoll}

3. What is the value of Flag3?

We also Have to Change the Parameters here on toys.php

Change the Below Parameter $_GET[‘id’];

To intval($_GET[‘id’]); on Everywhere in the toys.php File

Ans: THM{Are we secure yet?}

4. What is the value of Flag4?

Adding Username, Password parameters with a placeholder indicated with a question mark (?) and the rest of them are same as we did on the 2nd Question, We are Adding the username and password parameter to the mysqli_stmt_bind_param method and Executing it!!

Modify the Above code as Below Code!!

<?php
require_once("connection.php");
session_start();

if(isset($_POST[‘username’]) && isset($_POST[‘password’])){
$username=$_POST[‘username’];
$password=$_POST[‘password’];
$query=”select * from users where username=? and password=?”;
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, ‘ss’, $username, $password);
mysqli_stmt_execute($stmt);

$users_rs=mysqli_stmt_get_result($stmt);

Now, Run!!

Ans: THM{SQLi_who???}

Thank you for Reading!!

Happy Hacking ~

Queries:

THM , TryHackMe , TryHackMe Advent of Cyber 2022 , TryHackMe Advent of Cyber 4 Day 16, Ethical Hacking , Write up , Walk through , TryHackMe Advent of Cyber 2022 Day 16 Answers