SQLi Payload Attack Investigation

Objective Summary

An online banking platform experienced a data breach, with customer data leaked on a darknet forum. The investigation focused on determining the initial intrusion through the company’s public website. By analyzing the access log file, I identified that the attacker used a specific User-Agent to perform a brute‑force attack and later a SQL injection payload. To understand the attack’s impact, I utilized Wireshark to inspect network traffic captures, where I discovered the successful brute‑force password. Following the HTTP stream, the full client–server interaction, exposing a CTF that was in the database leveraged by the attacker’s SQL injection.

Tools Used

Access.log (web server log analysis)
Wireshark (network traffic capture and analysis)

Skills Learned

Analyzing web server logs to detect brute‑force attempts and SQL injection payloads.
Interpreting attacker User‑Agent strings to identify tooling.
Using Wireshark to capture and examine HTTP traffic related to a breach.
Following HTTP streams in Wireshark to reconstruct request–response pairs.
Extracting compromised credentials and locating CTF flags from the database.

Accessing the access.log file on the desktop and located the User agent as FFUF V2.1.0

The attacker used brute force on /login.php

The attacker used a SQLi payload on /changeusername.php

While the log uncovered evidence of the attack, there wasn’t clarification of which user was breached or what data was stolen. Wireshark was utilized for network traffic captures.

The successful brute force in Wireshark used password: astrongpassword123.

The packet was right clicked to follow HTTP Stream to reconstruct the full request and response between the client and server which exposed the CTF. The CTF was found in the database the attacker used in SQLi?

Contact