0xdf
In the "jq Injection [Jason - Hacky Easter 2023]" video, the speaker discusses the process of breaking a JQ injection challenge called "Jason" that was part of the Hacky Easter 2023 event. After trying command injection and SQL injection without success, the speaker discovers that the challenge is JQ injection. They then explain how to use JQ to extract a specific key in a JSON blob, using JQ's "keys" function to return a list of keys and then looping through them until the target key is found. The speaker praises JQ as a valuable tool for working with large volumes of JSON data.
In this section of the video, the speaker talks about a JQ injection challenge called "Jason" that was a part of the Hacky Easter 2023 event. The challenge involves finding a flag that has been hidden in an information service created by Jason. The challenge accepts inputs for street, name, surname, city, country, and cooking. The speaker takes us through their process of trying to break the challenge by attempting command injection and SQL injection. However, they are unsuccessful in these attempts. Finally, the speaker tries double square brackets, which reveals the output "Jason". This is where they realize that the challenge is JQ injection and try to enumerate the keys.
In this section of the video, the speaker explains how they use JQ to extract a specific key in a JSON blob. They first save the entire JSON blob as a variable and then use JQ's "keys" function to return a list of keys. They then access the keys by index and loop through them until they find the target key, which leads them to the flag. The speaker notes that they initially believed they couldn't start with a pipe in JQ, but they discovered that adding a space and a dot resolved the issue. Additionally, they found that JQ's "tostring" function can simplify the process by converting the entire JSON blob to a string. The speaker praises JQ as a useful tool for working with large volumes of JSON data.
No videos found.
No related videos found.
No music found.