N1CTF - 77777 Write-up \------------------------- Category: Web Points: 1000 (Dynamic scoring, goes down when more people solve it) Description: ``` "77777" is my girlfriend's nicknameļ¼Œhave fun xdd:) hk node: http://47.75.14.48 cn node: http://47.97.168.223 (Two challenge servers are identical, use either of them.) ``` Upon visiting the site we're shown two very big hints, ``U can update my points in Profile.`` and ``And the flag is `admin's password`:)``, upon visiting the rest of the pages we can see the "profile" which just simply displays the amount of Points they have, on the "Somecode" page we get a screenshot of the code running in the background, and on the someinfo page we get a screenshot which displays what software is running on the server. Somecode Picture: ![code](https://i.imgur.com/EMBZgXH.png) After reading over the code it's obvious that the $points variable is vulnerable to SQL Injection, however it is also running through a waf function which we don't have the code for. After doing some research on different ways I could exploit it, I discovered a technique [here]() about using CONV(hex((query))) to extract data, after struggling on trying to get it working for ages, I FINALLY got it working using this query ``*CONV(HEX((SELECT MID(password,1,3))),16,10)``. For anyone who isn't familiar with the functions in the statement I'll break them down for you, MID allows you to obtain a substring of the field (I couldn't use SUBSTRING because it was blocked by the waf :( ), the format is ``MID(field, , )``, after some more fiddling around I wrote a quick python script to automate it for me and do the decoding. ``` import requests import re from time import sleep s = requests.Session() regex = "\|\s[\d]+ 0: dechex = result[0].replace("| ","").replace(" Original writeup (https://github.com/notdls/ctf-write- ups/blob/master/N1CTF_2018/Web/77777.md).