Challenge Description
- Difficulty : Easy
- Points : 150
- Categoty : Web
Walkthrough
The challenge home page shows a list of songs and allows the user to search for songs.
Checking the robots.txt files reveals a new directory location /superhiddenadminpanel/. Accessing the new location shows a page where it asks for admin password.
When searching for songs in the home page, it showed a message that the search query should be atleast 5 characters long. When I saw this, I imagined that the SQL query when searching would be something similar to the following.
select * from SONGS where SONG_NAME LIKE '<USERINPUT>%'
I asked myself, What happens if I specify 5 or more % characters as search string ??. The query would be somewhat like below.
select * from SONGS where SONG_NAME LIKE '%%%%%%'
This would match all songs in the database and will give us the results. I did this and a new song entry with the emoji title came up PASSWORD BACKUP.
Inspecting the HTML source revealed a new file location /static/audio/secret_password_backup.txt.bak.
This file contained the admin password THISISTHEPASSWORDTOTHEADMINPANEL123321123321.
Submitting the password on the superhiddenadminpanel revealed the flag.
Flag: BlackHatMEA{196:14:1595b8c46ef967c77b1edf2e6bb2a9c0e655b61d}