• University of California, Berkeley

• COMPSCI 61C

CS 161 Proj 3 Write up

Flag 1: dev

I was able to find the password in the comments upon inspecting the element of the webpage. As seen below.

<!-- Demo Login/Password: Username = 'dev', Password = 'we-love-security' --> == $0

Flag 2: ip.txt

“Renamed” Password.txt file to ip.txt, “Opened” it on machine, put 161.161.161.161 as content, deleted existing file on the server, uploaded edited ip.txt, shared with cs161.

Flag 3: shomil

' UNION SELECT md5_hash FROM users WHERE username='shomil'--

On entering this into the List files “Search for a file: ______” we obtain shomil 's password hash

Search results for ' UNION SELECT md5_hash FROM users WHERE username='shomil'--

7f3af3a3ffd282bc516d4c45efa9112d Open Share Rename

ip.txt Open Share Rename

Suggestion:

To prevent such an SQL injection attack, we can use parameterized queries or prepared statements instead of being able to user input SQL queries. We can also clean user input to remove any characters that could be used for SQL injection.

Flag 4: nicholas

We will edit the session token with SQL injection