shane.blog Just Some Things

TIL: Injection

T

Today I Learned:

I studied for over 10 hours today! I learned quite a bit, as well as a lot of review. One of the most fun things I learned at HackTheBox was this:

Using Burp Suite and the repeater (as one method, you could also use cURL, etc.) you can send the following:

 username=admin&password[$ge]=0 

Along with changing the content type to:

 application/x-www-form-urlencoded 

to attempt injection. It won’t work on most web servers because of the brackets, but if a REST API is active, it may work, effectively turning the request into JSON:

{ "username" : "admin", "password" : {"$ge":"0"} }

This won’t work every time as it really depends on the code, but it was something very cool to learn.

Today I also learned about Xmind and Obsidian. Check them out, they are pretty cool!

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By Shane
shane.blog Just Some Things