Cyber Talents New Year CTF — Note Checker SQLi Challenge

cyber guy

Hey Hunters !!, This cyber talents ctf was very crazy and excited specially this challenge -Note Checker- it was semi-hard but also very excited so lets turn into this write up. When i opened the server for first time it looks like very simple so normally the website told me that there are three users :- user, admin and hacker and every user prints different message so in my opinion this isn’t important as understanding the back end logic.

So you will ask how can i understand the application logic ? the answer simply understand how application work so first i check if the application have other users by trying some fuzzing but it isn’t have any other users then i check if the application can print out more than one user message and also it doesn’t print out more than one user message then i test if the application print out SQL error when i end the query by adding — { ‘ } quote -for example and it prints error and from the error i found that the DBMS was SQLite so that i read about SQLite and it’s syntax.

After that i do some parameter fuzzing to the URL and i didn’t found any other parameters in this URL so that i started to test the queries first i tried the boolean based SQLi so i tested ‘ OR 1=1; — but unfortunately the back-end system trim any spaces so i tried tow things first i try to make a concatenation using + like JavaScript but also it doesn’t work all times which mean you cant use it in a full query you can just use it once so that i remembered that i used a technique to bypass firewall in a penetration testing and this method is to use the multiple line comment instead of spaces It’s Also A Tamper In SQLMap Named space2comment so i tried this and BINGO! it works so i tried ‘/**/1=1; — and it retrieved the 0 indexed user which admin and his comment so that i knew that i cant dump the tables or the columns using the boolean based SQLi.

So i think of tow methods first is :- UNION Based SQLi Or Using {;} To End The Current Query so first i tried to end the current query by adding {;} but unfortunately the back end doesn’t allow you to do that then before i start testing UNION BASED i checked tow things First :- the maximum number of characters that you can enter in one query second the number of columns.

So first i checked the front end and i found the maximum characters is 20 after that i tried to types long queries and i found it just read the first 20 characters.So i took a rest and think of it then my friend told me that why not to test HTTP Parameter Pollution and i fired up the challenge again and start to do that and it really works.

So i tried to know how much columns the query take and here i knew that because of tow reasons, first there are three users so the query will work like that :- SELECT user,admin,hacker FROM users WHERE user=’ And Here I Type The User In The Front End’ so this is the first thing, second i tried the ORDER BY method so i typed‘/**/ORDER/**/BY/**/&q=6; — and this works and gives me that the maximum column number is 3 so that i started to craft the query.

Because i already searched about SQLite i knew that the schema database here names sqlite_master and there is a table on it named sql and it stores the text which describes the SQL queries like CREATE TABLE so i started craft the payload like that :-‘/**/UNION/**/SELECT&q=’a’,sql,’b’/**/&q=from/**/(sqlite_master)&q=limit/**/1,1 — so first here i started the query with union to perform another query then i selected the three columns that the query need and there are tow columns are arbitrary inputs -> ‘a’,’b’ and one that the table which i wanna dump it then i put the DB name in tow square brackets tow allow us to type special characters without causing query fault then i put the limit here to limit what the out put that will prints out to me and finally i put the — to comment any other queries.

Then The Database prints out what i expect which is the description of the query and it was the description of CREATE TABLE query and i found what i need to get the flag on it, i found the column :- flag and the table:- secret after that i crafted the query again and it was :-‘/**/UNION/**/SELECT&q=’a’,flag,’b’/**/&q=from/**/(secret)&q=— then the flag prints out and it was :- FLAG{parameter_pllution_bypasses_all_security}.

So this was a very exciting ctf i played ever because it need a lot of thinking to solve it but not just thinking but also creativity to perform good effort on it.




Penetration Tester | Bug Hunter | Cyber Security Instructor | CTF Dev & Player

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

easy way to add watermark on images in Laravel

How To Connect Custom Smiirl Counter

Smirrl Counter Custom Smiirl Counter Facebook Smiirl Counter Instagram Smiirl Counter

All vs Allexcept

Types of Kernel

Reverse-engineering TP-Link KC100

Automated reports with Jupyter Notebooks (using Jupytext and Papermill)

MicroZed Chronicles: Error Correction and BRAM

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Momen Ali (Cyber Guy)

Momen Ali (Cyber Guy)

Penetration Tester | Bug Hunter | Cyber Security Instructor | CTF Dev & Player

More from Medium

Business Logic Errors - Art of Testing Cards

Registrations Open for IWCON 2022 — the Online Infosec Conference & Networking Event

Comprehensive Url Enumeration for Bug Bounty — The potential of GAU.

banner for article with the words “The most underrated tool in bug bounty. (and the filthiest one liner possible)”

Directory Listing Vulnerability - Cyber Sapiens Internship Task-16