Rating:
# Wolf Howl
### Author: Kai-En Wang (kwang23)
### Team: MISTER MILK SQUAD IN THE HOUS
**Vulnerability**
The login requirement is actually a distraction from the main vulnerability, residing in the artist lookup. Writing any qutoes in the text box will output an error relating to SQL syntax, revealing that SQL injection may be possible, and that there is an extra " appended to our statement.
**Step 1**
Testing the classic injection of:
" or ""=""; #
(Modified to comment out the extra " at the end) it prints out all the artists in the database.
**Step 2**
Next step is to find the names of all the databases and see if one has login info. A simple "SHOW TABLES;" does not work because either the backend seems to insert data into an object with Artist, Album, and Track. To find database names, we will do the original injection code above unioned with data from information_schema.tables:
"!="" UNION SELECT table_name,"","","" FROM information_schema.tables; #
**Step 3**
Through trial and error it was found that the table we're selecting from has 4 columns, so we match that by using three empty columns and selecting table_name. One table in particular, employee seems promising. To find information about that table's columns, we modify our above code to be:
"!="" UNION SELECT column_name,"","","" FROM information_schema.columns WHERE table_name = 'employee'; #
**Step 4**
Now with all the column names, we can retrieve Email and Password columns to get credentials with:
"!="" UNION SELECT Email,Password,"","" FROM employee; #
This will display the login credentials of multiple employees. Using them on the login page will yield the flag.