From 6241ae956c883034f9595bfc72aa5a104e3bd463 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 11 Apr 2024 16:27:25 +0000 Subject: [PATCH] =?UTF-8?q?Update=20writeups=20=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../amateursctf/2024/web/agile-rut.md | 2 +- .../writeups/amateursctf/2024/web/one-shot.md | 100 +++++++++++++++++- writeups | 2 +- 3 files changed, 100 insertions(+), 4 deletions(-) diff --git a/src/content/writeups/amateursctf/2024/web/agile-rut.md b/src/content/writeups/amateursctf/2024/web/agile-rut.md index 2059c88..5906f29 100644 --- a/src/content/writeups/amateursctf/2024/web/agile-rut.md +++ b/src/content/writeups/amateursctf/2024/web/agile-rut.md @@ -27,7 +27,7 @@ After inspecting using another service, called [GlyphrStudio](https://www.glyphr ![glyphrstudio ligatures](https://raw.githubusercontent.com/GerlachSnezka/amateursctf/main/assets/2024-web-agile-rut-glyphrstudio-ligatures.png) -![glyphrstudio ligature](2024-web-agile-rut-glyphrstudio-ligature.png) +![glyphrstudio ligature](https://raw.githubusercontent.com/GerlachSnezka/amateursctf/main/assets/2024-web-agile-rut-glyphrstudio-ligature.png) Using dev tools we can copy the ligature name and we'll get the flag: diff --git a/src/content/writeups/amateursctf/2024/web/one-shot.md b/src/content/writeups/amateursctf/2024/web/one-shot.md index 8d33f38..e44cbf3 100644 --- a/src/content/writeups/amateursctf/2024/web/one-shot.md +++ b/src/content/writeups/amateursctf/2024/web/one-shot.md @@ -3,7 +3,103 @@ title: "one-shot" description: "my friend keeps asking me to play OneShot. i haven't, but i made this cool challenge!" points: 184 solves: 282 -author: nobody +author: Jozef Steinhübl +date: April 11 2024 --- -yeh' one-shot.... it was hard lol +## Introduction + +![task](https://raw.githubusercontent.com/GerlachSnezka/amateursctf/main/assets/2024-web-one-shot.png) + +In this challenge, we are given a website and its source code. We have to create a session, search for a pass and then guess the pass to get the flag. + +## Analysis + +After digging into the source code, we see a potential SQL injection in the `search` route. The `query` parameter is not sanitized and is directly used in the SQL query. + +```python #1,5 +query = db.execute(f"SELECT password FROM table_{id} WHERE password LIKE '%{request.form['query']}%'") +return f""" +