From 628c259d92d16776307cc9e22135c56482331030 Mon Sep 17 00:00:00 2001 From: michael Date: Mon, 13 Jan 2020 23:05:08 +0100 Subject: [PATCH] Fix typos --- writeups/tortagel/seccon19.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/writeups/tortagel/seccon19.md b/writeups/tortagel/seccon19.md index a0359d0..4820b8a 100644 --- a/writeups/tortagel/seccon19.md +++ b/writeups/tortagel/seccon19.md @@ -46,7 +46,7 @@ Flag: `SECCON{Success_Decryption_Yeah_Yeah_SECCON}` This was an interesting challenge in my opinion, not that hard, but fun. I solved it like a blind SQL injection, but afterwards I saw it actually wasn't a blind SQLi, just a normal SQLi, however, it worked also this way :D -Given was an articles website with a search box on the top and the search results below, nothing special. I started by entering some SQL commands like `'or 1=1--` in the search box. The handy part was, after applying the search, the input changed to the accepted search input. So in this case it changed to `'1=1--`, the `or` was removed an the whitespace. From the IntroSec course I remembered the challenge where SQL commands were replaced by an empty string and `/**/` instead of blanks, so I tried `'OorR/**/1=1--`. And yes, the remaining part was `'OR/**/1=1--`, but still an error, so I replaced `--` with `#` to `'OorR/**/1=1#` and it worked! +Given was an articles website with a search box on the top and the search results below, nothing special. I started by entering some SQL commands like `'or 1=1--` in the search box. The handy part was, after applying the search, the input changed to the accepted search input. So in this case it changed to `'1=1--`, the `or` was removed an also the whitespace. From the IntroSec course I remembered the challenge where SQL commands were replaced by an empty string and `/**/` instead of blanks, so I tried `'OorR/**/1=1--`. And yes, the remaining part was `'OR/**/1=1--`, but still an error, so I replaced `--` with `#` to `'OorR/**/1=1#` and it worked! On the bottom of the website an article `FLAG` appeared: @@ -54,7 +54,7 @@ On the bottom of the website an article `FLAG` appeared: The flag is "SECCON{Yeah_Sqli_Success_" ... well, the rest of flag is in "flag" table. Try more! ``` -So the first part was done. I am not sure why did not think about an `union` at this point, maybe I just wanted that it is a blind SQL injection :D So i took the script from the IntroSec blind SQLi challenge an adjusted it to this challenge. +So the first part was done. I am not sure why I did not think about an `union` at this point, maybe I just wanted that it is a blind SQL injection :D So i took the script from the IntroSec blind SQLi challenge an adjusted it to this challenge. First I tried to find something in the `information_schema.tables` table, but this throw always an error, no idea why. So I just wrote `SELECT * FROM flag` and hoped it works and yes it did. The only remaining problem was, that all commas were replaced by an empty string, so I couldn't use `MID` or `SUBSTRING`, but after some researching I found the solution, `SUBSTRING` can be used like `SUBSTRING(str FROM pos FOR len)`. Then i just had to wait while the rest of the flag came in: `You_Win_Yeah}`. @@ -109,7 +109,7 @@ I've created yet another stegano. Can you find hidden message? ``` -I opened the picture with the tool Stegsolve and played around for a while, but I found nothing had not really an idea what todo. +I opened the picture with the tool Stegsolve and played around for a while, but I found nothing and had not really an idea what todo. ### lazy -- 2.43.0