Category: Web Points: 200 Description:
I've got a new website for BIG DATA analytics! http://littlequery.chal.csaw.io
This challenge is a straightforward database injection attack challenge, with a bit of recon mixed in. This challenge starts with seeing the
User-agent: * Disallow: /api
From there, we discover a hidden part of the site,
Index of /api [ICO] Name Last modified Size Description [PARENTDIR] Parent Directory - [ ] db_explore.php 2017-09-13 10:36 1.9K Apache/2.4.18 (Ubuntu) Server at littlequery.chal.csaw.io Port 80
This leads us to
db_explore.php. Upon further testing, there were two factors towards solving the challenge. First, is the mode
schema and second, the mode
preview. Upon further testing, we end up with 3 things.
In this case,
%23 stands for
#, to comment out the rest of the SQL statement. Now, we have the user credentials.
Since the password is hashed clientside before sending to server, we can simply prevent the hashing from taking place and sending the hash, using this JS command!
Therefore, the flag is