ORM LEAK 01

Bookmarked!

This exercise covers how to exploit a simple ORM leak.

PRO
Tier
Medium
1-2 Hrs.
47
API Badge

In this lab, your objective is to obtain the hashed password of the admin user from a Django application. This challenge is inspired by an article from Elttam, which explores vulnerabilities in Django's ORM. You will need to leverage query functions such as password__contains and password__starts_with to leak the password hash.

Once you successfully extract the hash, which begins with pbkdf2_ and includes alphanumeric characters along with =, /, $, and _, you can use this hash as the key for the challenge. This exercise aims to teach you how to automate the exploitation process to retrieve sensitive information effectively. By completing this lab, you will gain practical experience in identifying and exploiting ORM leaks in Django applications.

Want to learn more? Get started with PentesterLab Pro! GOPRO