Rating:

# Santa's No Password Login System (Web)

Hi CTF player. If you have any questions about the writeup or challenge. Submit a issue and I will try to help you understand.

Also I might be wrong on some things. Enjoy :)

(P.S Check out my [CTF cheat sheet](https://github.com/flawwan/CTF-Candy))

![alt text](1.png "Chall")

The website looks like this:

![alt text](2.png "Chall")

Nothing interesting in the source of the website.

![alt text](3.png "Chall")

With this information I am certain we should either inject stuff in the Referer header or the user agent header.

I tried fuzzing the Referer with common user agents but no luck there. Moving on to the user agent header.

First I wrote my own fuzz tool to target the user-agent header. No fun in using ZAP:p.

Script available here [script.py](script.py)

After a few seconds the program stopped and said:

```
[y] Success, ' or '1'='1
```

Now it says welcome instead of access denied. This means we have a sql injection.

Let's verify it with ZAP.

![alt text](5.png "Chall")

![alt text](4.png "Chall")

Cool. Let's fire up `sqlmap` and dump the tables.

### Using SQLmap to target User-Agent.

```
$ sqlmap -u "http://199.247.6.180:12003/" --level 3 --random-agent --dbs
```

* This will use a random user agent as the sqlmap user agent was blocked by the server.
* level 3 is used to target the Referer and user-agent header.

Running the script we can speed things up by pressing [CTRL-C] as sqlmap will first try to exploit the Referer header. We know the sqli is in the user-agent field. Now press [n] for next parameter which will be our user-agent.

![alt text](6.png "Chall")

Cool we have the databases for the mysql database.

Now we can dump the tables of db.

![alt text](7.png "Chall")

And then we dump the columns of the uas table.

![alt text](8.png "Chall")

And finally we dump the content of the uas table.

![alt text](9.png "Chall")

Original writeup (https://github.com/flawwan/CTF-Writeups/blob/master/XMAS2018/Santa's%20No%20Password%20Login%20System/writeup.md).