 How's it going everybody? My name is John Hammond, and we're still looking at the LASA CTF capture flag competition It's going on this week the challenge that I'm looking at right now is client side and the prompter is Kyle didn't think his login form was Secure enough, so we added JavaScript smart, right? It's a web challenge. It's talking about JavaScript So it's client-side stuff. Let's see if it has a vulnerability. Probably should considering it is a CTF challenge alright, so it's just a simple login field if you can see it here We have using in password field and it does give us a login PHP source Which displays all this jazz, but if we actually view the source with control you we can see it's using okay including stuff Making a sequel light. Okay, so we know we're working with sequel light It does a micro sequel my sequel query and we notice it's just Including these as password and stuff as an unescape variables So we should be able to do probably a little bit of sequel injection But let's see what the JavaScript actually is if I control you to view the source of this page We can see it it does have a check valid function. That's actually being ran Once we submit this login form and log in forms going to log in dot PHP Rather than the current page So obviously it has to have with testing with this regular expression It has to just be a through Z etc. Etc blah blah blah So I can get through with like anything Anything but it's not the right password obviously we don't know what the correct password is But we want to be able to do some like sequel injection would want to be able to be like or one equals one and then Comment out the rest of the query right because password doesn't really matter, but this JavaScript gets in the way and Just to verify we wanted to look at sequel lights Was that the database? Yeah, sequel light three sequel light comment Okay, sequel light comments begin with two consecutive hyphen characters so rather than the Pouncil would just be backslash backslash, but JavaScript is in the way So we have to get around that we have to actually write some code in our case. It'll be able to do that for us So it should be a client side. I already have it written in my ape one But I'll write it in the get flag that pie and I'll make this visible so we can see it and let's get started Let's get a little shebang line usr, and I'm gonna do this with the requests module so Let's actually grab an address for one thing and Let's make that Request so let's return a response object. We'll do requests Dot get for now. We'll just do the address and we'll print out response dot text Okay, and we get the HTML page just as we had before So now let's actually supply some data to it and see what happens. Let's post to address and let's supply data can equal username equal anything and Password can equal anything It looks like it does that want this on executive lines just for the pep 8 standard Is that what it wants? Let's just bring this all to one Just space character in here, and then we'll close all of our stuff just like that What's the matter? Okay, cool. That's the correct pep 8 standard. So now We can run this and we still get this HTML page because remember when you look at the source here This is actually going to log in dot PHP not the current page So we'll have to change this our address to log in dot PHP now when we run this we get our login failed Which is perfect, but since JavaScript's not in our way. We can actually go through with our a sequel injection, right? so remember when you actually look at the PHP source what we're looking at here is Injecting name equals username and it's just delimiting these sequel terms with a single quote So we can supply our username To actually use double quotes here to represent the string and we'll use single quotes To denote the beginning and end of our sequel statement and we'll use our or one equals one and since we want a sequel comment We'll use our to comment hyphens there now when we run this hey We are logged in and our flag is this so let's scrape that out There's our flag strip oh And now let's actually remove that Dash cool, so there's our flag to make this executable in our terminal Get flag and it runs just fine for us. There is our flag. We can go ahead and submit it and get some more points 70 70 points good stuff cool. Thanks for watching guys real simple thing just avoiding JavaScript actually automating a request and HTTP response and request well in Python just using the request module and do a little sequel injection cool Thanks again for watching guys. Hope you enjoyed it, and I'll see you in a later video