[NDH2011] prequals::web200 write-up
The goal of this challenge was to get access to a flag stored in the database. The challenge consists of a form with two fields:
  • name
  • file
The purpose of this application is to read a radar picture of an infractation, apply OCR technology to read the value of the regplate and print all the infractions recorded for it. After a few attempts on passing evil inputs to that form, you might guess that the value of the regplate read by the OCR is vulnerable to SQL injection. No errors are displayed so a simple quote would not indicate you there is a vulnerability but the common ' OR 1=1 -- will display everything contained in the infraction table. As you might have noticed, the text recognized by the OCR is printed (OCR technology is far from perfect so we thought it would be a little unfair not to provide you with any debugging process). XSS attacks are possible too but no useful stuff could be achieved (at least nothing concerning the flag..) Once you have gone trough all the infraction list you will notice that unfortunately there is no sign of any flag :( Nevertheless, the rest of the attack is quite simple. 1/ List all the tables of the database. ' UNION SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES -- Note that the comment character at the end of the query has to be {space}--{space} 2/ Find the relevant table in the output(PoWN3D) and list its values ' UNION SELECT * FROM PoWN3D -- Now you should finally be able to read the flag.