Writeup Intigriti challenge-0923

This is an interesting challenge, so I want to write in detail and analyze the process I followed, as well as provide a clear explanation of the issues I encountered when approaching this challenge.

Overview

The challenge interface looks like this:

Untitled

We have full access to the source code in path challenge.php?showsource=1 , so this is a whitebox challenge. Let's read and analyze it together

Untitled

Let's quickly overview the big picture. We can see that the database has a users table with 4 fields: id, name, email, and the most important one, password. Since the UI only displays 3 fields (id, name, email), we can quickly deduce that the flag we need to find is most likely the password → I can strongly suspect that this is an SQLi vulnerability.

Untitled

The SQL injection vulnerability becomes even more evident when examining the code below:

$max = 10;

if (isset($_GET['max']) && !is_array($_GET['max']) && $_GET['max']>0) {
    $max = $_GET['max'];
    $words  = ["'","\\"",";","`"," ","a","b","h","k","p","v","x","or","if","case","in","between","join","json","set","=","|","&","%","+","-","<",">","#","/","\\r","\\n","\\t","\\v","\\f"]; // list of characters to check
    foreach ($words as $w) {
        if (preg_match("#".preg_quote($w)."#i", $max)) {
            exit("H4ckerzzzz");
        } //no weird chars
    }       
}

try{
//seen in production
$stmt = $pdo->prepare("SELECT id, name, email FROM users WHERE id<=$max");
$stmt->execute();
$results = $stmt->fetchAll();
}
catch(\\PDOException $e){
    exit("ERROR: BROKEN QUERY");
}

Quick explanation of the code snippet above.

The code checks if a GET parameter named max is present in the URL and if it meets certain criteria. It ensures that max is not an array and that its value is greater than 0 → So it must be a number.
An array named $words is defined, which contains a list of characters to check for in the max parameter. This list includes various characters that are often associated with security vulnerabilities when handling user input.
The code then iterates through each character in the $words array using a foreach loop. Inside the loop, it uses a regular expression (preg_match) to check if the character exists in the max parameter. If any of these characters are found in the max parameter, it exits the script with the message "H4ckerzzzz." → yeah we have to bypass this
After validating the max parameter, the code attempts to execute a database query. It uses the prepare method to create a prepared statement with a SQL query that selects id , name and email from a users table where id is less than or equal to the value of $max.
The prepared statement is executed using the execute method, and the results are fetched into the $results variable using fetchAll.