1. Find the account of Gary Hunter (I don’t know his account name).

The first objective is to find the account name Gary Hunter. After playing around with the site you come across a user info page. Now you can sit there and guess the username all day but we don’t want to do that. How about we try some SQL Injections first.

Bingo…SQL injections work and there is a list of usernames

GaryWilliamHunter : — $$$$$ –

Now you know his username.

2. Move the $10,000,000 into the account dropCash

So what do we do with this? Well let’s register and login. After you register and login check your cookies and you should see the following:

what happens if you change the accountUsername value from your username to GaryWilliamHunter? Nothing really but after you change it try to do an account transfer to dropCash for 10000000.

You will notice you were able to move the money. It seems that the cookie was helping the application know who you were and since we changed it to GaryWilliamHunter we were able to trick the application in thinking we are him.

3. Clear The Logs, They’re held in the folder ‘logFiles’.

When we log into the application we notice a button that says “Clear files in Personal Folder” This is a clear indication to me that this button invokes a method that deletes things. So lets look at the source:

It seems that the cleardir.php files takes the variable dir=MetroSQLFiles

So if we were to change MetroSQLFiles to logFiles this should delete the files.

The easiest way to do this is to use tamper data. This is a firefox addon that will allow you to see the post variables and change them before being submitted. There are other ways and some of my other tutorials show them but hopefully if you have gotten this far you should have some understanding of what you are doing.