CSAWCTF_2017: LittleQuery

Category: Web Points: 200 Description:

I've got a new website for BIG DATA analytics! http://littlequery.chal.csaw.io


This challenge is a straightforward database injection attack challenge, with a bit of recon mixed in. This challenge starts with seeing the robots.txt page.

User-agent: *
Disallow: /api

From there, we discover a hidden part of the site, /api!

Index of /api

[ICO]   Name    Last modified   Size    Description
[PARENTDIR] Parent Directory        -    
[   ]   db_explore.php  2017-09-13 10:36    1.9K     
Apache/2.4.18 (Ubuntu) Server at littlequery.chal.csaw.io Port 80

This leads us to db_explore.php. Upon further testing, there were two factors towards solving the challenge. First, is the mode schema and second, the mode preview. Upon further testing, we end up with 3 things.



In this case, %23 stands for #, to comment out the rest of the SQL statement. Now, we have the user credentials.


Since the password is hashed clientside before sending to server, we can simply prevent the hashing from taking place and sending the hash, using this JS command!


Therefore, the flag is flag{mayb3_1ts_t1m3_4_real_real_escape_string?}.