search

old-57 -- Conditional Time Delays

URL: https://webhacking.kr/challenge/web-34/arrow-up-right Source: https://webhacking.kr/challenge/web-34/?view_source=1arrow-up-right

<?php
$db = dbconnect();
if ($_GET["msg"] && isset($_GET["se"])) {
    $_GET["msg"] = addslashes($_GET["msg"]);
    $_GET["se"] = addslashes($_GET["se"]);
    if (preg_match("/select|and|or|not|&|\||benchmark/i", $_GET["se"])) {
        exit("Access Denied");
    }
    mysqli_query(
        $db,
        "insert into chall57(id,msg,pw,op) values('{$_SESSION["id"]}','{$_GET["msg"]}','{$flag}',{$_GET["se"]})"
    );
    echo "Done<br><br>";
    if (rand(0, 100) == 1) {
        mysqli_query($db, "delete from chall57");
    }
}
?>
old-57.png

se value has many filters including addslashes, but since it doesn't have quotes in the query SQLi is still possible. Our tasks is to read the 3rd column, flag.

The code only contains INSERT query and no visible output, but we can create the indicator of success and failure using Timed Queries.

portswigger > SQL injection cheat sheet > Conditional time delaysarrow-up-right

As we can see the attack is successfully delayed and bypassing filter was a breeze.

Brute force, sadly with non async code so this will take some time... 💀

Previousold-56 -- Unrestricted File Search In SecretsNextold-58 -- JavaScript (Sockets)

Last updated