[web-5] SQL injection (SQLi) on tokenizer.edu.stf

Description

Perform an SQL injection on the host tokenizer.edu.stf (10.124.1.239).

First, I used Nmap to scan for open ports

Open Ports: 22, 80, 5432

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:85:4a:9f:e9:70:ed:e7:80:ca:0d:3a:f4:6b:8d:ff (RSA)
|   256 fa:68:91:c4:1f:dc:be:f2:5d:22:ba:be:25:90:c2:bb (ECDSA)
|_  256 2a:16:b9:fd:68:2a:48:c2:b6:2b:34:d3:5d:1c:89:1c (ED25519)
80/tcp   open  http       Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Test auth Server
5432/tcp open  postgresql PostgreSQL DB 12.14 - 12.18
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2021-02-08T11:04:29
|_Not valid after:  2031-02-06T11:04:29
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 341.69 seconds

Next, I used dirsearch to scan for directories and files

┌──(kali㉿kali)-[~/Downloads]
└─$ dirsearch --url <http://tokenizer.edu.stf/>                                                                 
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Downloads/reports/http_tokenizer.edu.stf/__25-09-06_06-25-52.txt

Target: <http://tokenizer.edu.stf/>

[06:25:52] Starting: 
[06:26:02] 403 -  282B  - /.ht_wsr.txt
[06:26:02] 403 -  282B  - /.htaccess.bak1
[06:26:02] 403 -  282B  - /.htaccess.orig
[06:26:02] 403 -  282B  - /.htaccess.sample
[06:26:02] 403 -  282B  - /.htaccess.save
[06:26:02] 403 -  282B  - /.htaccess_extra
[06:26:02] 403 -  282B  - /.htaccess_orig
[06:26:02] 403 -  282B  - /.htaccessOLD
[06:26:02] 403 -  282B  - /.htaccessBAK
[06:26:02] 403 -  282B  - /.htaccessOLD2
[06:26:02] 403 -  282B  - /.htaccess_sc
[06:26:02] 403 -  282B  - /.htm
[06:26:02] 403 -  282B  - /.html
[06:26:02] 403 -  282B  - /.htpasswd_test
[06:26:02] 403 -  282B  - /.htpasswds
[06:26:02] 403 -  282B  - /.httr-oauth
[06:26:05] 403 -  282B  - /.php
[06:26:39] 200 -   26B  - /check.php
[06:26:40] 200 -    2KB - /composer.lock
[06:26:40] 200 -   62B  - /composer.json
[06:27:24] 301 -  324B  - /samples  ->  <http://tokenizer.edu.stf/samples/>
[06:27:24] 200 -  608B  - /samples/
[06:27:25] 403 -  282B  - /server-status
[06:27:25] 403 -  282B  - /server-status/
[06:27:39] 200 -  504B  - /vendor/
[06:27:39] 200 -    0B  - /vendor/autoload.php
[06:27:39] 200 -    0B  - /vendor/composer/autoload_classmap.php
[06:27:39] 200 -    0B  - /vendor/composer/ClassLoader.php
[06:27:39] 200 -    0B  - /vendor/composer/autoload_real.php
[06:27:39] 200 -    0B  - /vendor/composer/autoload_static.php
[06:27:39] 200 -    0B  - /vendor/composer/autoload_namespaces.php
[06:27:39] 200 -    0B  - /vendor/composer/autoload_psr4.php
[06:27:39] 200 -    2KB - /vendor/composer/installed.json
[06:27:39] 200 -    1KB - /vendor/composer/LICENSE

The webpage displays an interface with functionality to generate tokens.