Real World CTF 4th Hack into Skynet Write Up
2022-01-24 23:29:53

There is no sql injection vulnerability in login logic, and login is generally not possible because there is no user account.

I’ve found some stupid logic in the code of the login logic. If the user variable is an empty value, the empty value of the name variable is put in, and finally the value of the name variable and the username variable is compared. Here, if the name variable and the username variable are both empty values, true is returned, so the login can be successful.

As expected, the login was successful when the username value was passed as an empty value. Now that the login was successful, the search logic can be used.

SQL injection occurs because the value of name in the query_kill_time() function is passed as it is to the query.

When attempting sql injection, it was found that the detection mechanism was controlled.

The reason is that the skynet_detect() function was being called before the query_kill_time() function was called. Here again the code was written with very stupid logic.

In the skynet_detect() function, the get_data() method was used, and in the query_kill_time() function, the form.get() method was used, and the body value was used. Why use it differently? I got a lot of doubts here, and I thought this would be important in solving the challenge.

So, while changing the value of Content-Type as above, I tried to bypass the detection mechanism by using the difference in parsing between the two functions. but no response. However, the important thing is that I did not use the file upload function using Multipart/form-data. When a file is uploaded, not only the file name and contents, but also various values exist as binary data. So I thought that if I tried using these functions, the values could be mixed and bypassed.

As expected, it was strangely detoured.

2022-01-24 23:29:53