Web – Empire1

Empire1 - 400pt

Challenge

Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/27357/ (link) Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:27357

Hints

Pay attention to the feedback you get
There is very limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass.
The database gets reverted every 2 hours if you do break it, just come back later

Solution

First thing we notice when we open the homepage is register and login pages, but they doesn’t seem to be vulnerable to sqli so we create a user and we login. Let’s see that create todo page, if we try to inject a simple ' in the todo we get an internal server error so we know that probably we can inject sql. In fact if we try a simple a' OR '1'='1 the query is executed and in todo list we can see the output 1.
alt tag
alt tag

If we play a little with queries we wil find that a good method to inject a query is this “a' || (some_query) || 'b” . Now we have to find some info about the db, in order to do that we have to undestand which dbms is being used, we try to select information_schema which is mysql but it won't work, if we try sqlite_master it will work so we print some information and then we can start printing the good stuff. The challenge description clearly says us to find our secret so if we print the secret "column" of every user selected by his id we are gonna find ours and with it our flag picoCTF{wh00t_it_a_sql_inject9899be1a}

alt tag
alt tag

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *