search

Space

hashtag
Taking a look

First when we enter the login page, we see a 2 options, either you sign in or sign up, and at the very bottom there's Forgot password? link.

However, only Sign in works here. If we try to pass any random values in the login form we will get a json response : {"Error":"Wrong Credentials"}

Time for work

Ok, let's move the POST request to burp, firstly I tried array injection but I got 400 Bad request :

If we test for SQL injection using a simple payload 'or 1=1 -- - we get Hacker detected response, which indicate that the WAF ( Web application firewall ) has blocked our request :

After playing with the query to find out what is exactly getting blocked by WAF I found that it's blocking any spaces :

That's why the challenge is named Space.

hashtag
Bypassing WAF

Now we need to find a way to bypass the WAF which is blocking the space character. So, when searching about space block sql injection we find an interesting answerarrow-up-right :

So we need to replace the space with other whitespace character that isn't getting blocked by WAF. After trying various payloads it seems that both %0d (carriage return) and %0a (newline) doesn't get blocked. However, when we want to login using our new query we get the same error again Hacker detected :

It seems that also -- is getting blocked. How did I know? Simply, If you test for -- separately you will get this response :

You can always delete character by character from your payload to understand what is getting blocked by the WAF.

hashtag
Thinking

Now, try to think.. How can you bypass this problem? Similarly to what we did with the space character, we will search for other ways to comment in SQLarrow-up-right :

So if we try out these ways to comment in our query we find that /* works and finally we bypassed the WAF! :

Cool isn't it? But unfortunately nothing interesting here, except the Logged in successfully message, so it might be Blind SQL injection.

hashtag
The final chapter

Now lets firstly test for Blind SQL injection - Error based. You can use this payload to guess the table name :

And I got this result :

Great, now we know that there's a table named users let's get the username, password and id using this payload :

How did you know the column names? Simply by guessing! Now you rather do this manually ( you will get Finger issues ) OR you can automate it using a simple Python script :

After dumping the user data which are : id : 1, username : Jackie_Lando, password : %%MYS3cr3tPasSword%%

We find no flag here, even if we tried to search for flag in the users table; we will get no result.

In CTF challenges, the flag is usually in a table named flag precisely in a column named flag. Nevertheless, when testing the very first payload for checking for an existing table

we get no result for a table named flag; that means it doesn't exist. Finally, after guessing various names, we finally found the flags table :

Assuming that the column is named flag, we will use the previous script to dump the table. And we finally got the flag!

PreviousCyberNights 5NextWave

Last updated