Skip to content

Latest commit

 

History

History
28 lines (25 loc) · 964 Bytes

README.md

File metadata and controls

28 lines (25 loc) · 964 Bytes

WTF.SQL

Description: (see crawl.txt) Points: 500 Category: Web Flag: flag{b3tter_th@n_th3_prequels}

Solve:

  1. robots.txt -> find all routes
  2. use verifier route to leak source for all routes, subroutines
  3. Template injection
    • can't use ${config_signing_key} in post directly since it's blacklisted
    • recursive template expansion allows use of ${GET_asdf}
    • if ?asdf=${config_signing_key} then it will get interpolated again leaking secret
  4. secret is used to sign cookies
  5. allows you to change is_admin
  6. get to admin panel, need to add privileges
  7. HLE to add panel_view and panel_create privs, giving you arbitrary db.table read
  8. ggwp

Formatting notes:

  • Types
    • Routes should be VARCHAR(255)
    • header, cookie, template, etc. keys should be VARCHAR(255)
    • header, cookie, template, etc. values should be TEXT
    • response is TEXT
  • Naming
    • k/v pairs are always name value (to add to the confusion)