Skip to main content

Yadhu's Blog

Tag: SQL Injection

To all tags

HTBCTF Finals 2021: Waf-Waf Write-up

tl;dr

  • Rename table and exploit SQL Injection to get the flag.

# Challenge Description

Who let the blacklists out?

# Source Code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

<?php
require('database.php');

$user = $_GET['user'];
$pass = $_GET['pass'];

if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass))
{
    highlight_file(__FILE__);
    exit;
}

$mysql = get_db();
$mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'");

do
{
    if ($result = $mysql->store_result())
    {
        if ($row = $result->fetch_assoc())
        {
            echo json_encode($row) . '<br/>';
        }
        $result->free();
    }
}
while ($mysql->next_result());

$mysql->close();

# Analysis

  • Parameters user and pass are directly fed into the query and might cause SQL Injection.
  • The filters applied for the parameters are not strong enough.
  • Multiple queries can be executed at a time since multi_query function is used.
  • Inserting single quotes are not allowed.

# Solution

  1. Inserting \ as value for user parameter causes a part of the query to be treated as a string, and the pass parameter can be used for SQL Injection. The query becomes

Read more
/2021/03/13/HTBCTF-Finals-2021-Waf-Waf-Write-up/ Yadhu Krishna M