<-- home

SECCON 2017 / SqlSRF

Hello guys , so as always i will share me and my team solution for web400

First , i would like to thanks all orgz for this ctf , really enjoyed and make me work hard to solve this and others web and crypto challenge

So this task was in first stage simple login form and source code of index.cgi page


And this is source code , the best part the sql query


So what here we can do is inject our payload using username , we can’t use password first because its not in the query and second it was encrypted with unknown cipher

Lets break this login by just using ‘union select’

payload : “union select ‘admin’–”

but wait ? our password is encrypted before the check

$row[0] eq &encrypt($q->param('pass'))

So how we can make this true and login ? , lets audit more the code and look for our hope :D

($q->param('save') eq '1' ? $q->cookie(-name=>'remember', -value=>&encrypt($user), -expires=>'+1M') : undef)

So if we check the Remember Me option we will get our username used to login encrypted into remember cookie

Okay , lets try with username : admin and password :anything


This is username (admin) encrypted , lets use it in the payload to make the check True

username : 'union select '58474452dda5c2bdc1f6869ace2ae9e3
password : admin

Oh we are in now :D


But “* No.2 is only for “admin” user.” :(

Need to login with admin , so we need to get the real password from database ‘SQLite’

Using this https://github.com/unicornsasfuel/sqlite_sqli_cheat_sheet to help me make thinks easier

So lets try “Time-based data extraction”

So what i did first is figure out the time for True and False query

Here when query True : Time = 1.37


And when query False Time = 500 ms


Then start code to make it fast and easy

This is my script : Script

Just decrease the time in the script due to some problem , so its depend

Then after the script end it print for us the password

password : Yes!Kusomon!!

Login as Admin like a BOSS :D

Next stage , as the name of Task it will be “SSRF”

Like we see here


port 25 is open only in local

With the help of orange bugs again :D


Make me exploit it fast and without wasting time , using CRLF will break this and finish this stage

So my last payload was
HELO admin
MAIL FROM:<myemail@gmail.com>
RCPT TO:<root@ymzk01.pwn>
Subject:give me flag
give me flag

Then encode it to bypass some problem

And again break this stage and Get our email


Use the cookie to decrypt our flag :D