There can’t much go wrong with pagination, right? http://52.59.124.14:5012
🎯 Challenge Files & Infrastructure
Provided Files
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
When I clicked on show pages 2,10, it showed me the rows from the database by setting the parameter p=2,10. Then, I decided to click the link to the source, which directed me to /?source:
Source Code
I saved the source in the file source.php. As we can see, a QUERY is made that retrieves all the pages by setting a minimum and maximum ID based on the parameter p we pass. Let’s move on to the exploitation.
🔬 Vulnerability Analysis
Potential Vulnerabilities
SQL Injection
🎯 Solution Path
Exploitation Steps
Initial setup
As we can notice, there is a check on the minimum value, so when passing /?p=1,10 OR 1=1, I get this post is not accessible. Therefore, I need to bypass that check, perhaps by setting the minimum value to 2, for example.
Exploitation
Indeed, the exploit payload is exactly as follows: /?p=2,10 OR 1=1. The query would then be: SELECT * FROM pages WHERE id>= 2 AND id<= 10 OR 1=1 By setting the minimum value to 2, we bypass the check. Using OR 1=1 ensures that the query returns all the pages, so the page with the flag will also be displayed.
Flag Base64
As we can see from the source, the flag is encoded in base64. So, using the terminal, I perform the decode and obtain the flag:
The exploit sends the request with the SQL Injection payload as the p parameter, and then it extracts the flag in base64 format using a regex and decodes it.
