[HITB CTF Singapore 2017] Web 512 – Blog

Challenge:

No description.
http://47.74.147.34:20011

Well, another site :D, after surfing, check burp history and something interesting appear:

I saw this type of query before, it absolutely using GraphQL to perform the query.
After dumping all the __schema of GraphQL without seeing anything suspicious or authorization vul, im thinking about this website will be vulnerable in the backend database.
Testing NoSQL Injection, no luck. Time to fuzzing!

Wow, SQLite error, it is happenned because we input a fail object to query, a little skill will tell you “aYT0x” stands for “a”+atob(“YT0x”) = “a”+”a=1”
Interesting!
So now we know what to inject, but look at some input point, it all use sqlite binding param, so we cant do anything in this.

Dumping schema, notice that (thanks to my respectable bro):

{“name”:”itemSelection”,”description”:”List details for BlogItems in comma separated list of ID!s”,”args”:[{“name”:”ids”,”description”:null,”type”:{“kind”:”NON_NULL”,”name”:null,”ofType”:{“kind”:”SCALAR”,”name”:”String”,”ofType”:null}},”defaultValue”:null}],”type”:{“kind”:”LIST”,”name”:null,”ofType”…….blah….blah……

So we know we can construct a new query based on this:

query={ itemSelection(ids:”bYT0x”) { title } }

luckily, this point isnt care about sqlite injection, so we try to inject:

😀

Advertisements

2 thoughts on “[HITB CTF Singapore 2017] Web 512 – Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s