https://github.com/kallsyms/wtf_sql

It's like wtf.sh, but in SQL!
https://github.com/kallsyms/wtf_sql

dumb sql wtf

Last synced: 2 months ago
JSON representation

It's like wtf.sh, but in SQL!

• Host: GitHub
• URL: https://github.com/kallsyms/wtf_sql
• Owner: kallsyms
• Created: 2018-02-08T04:51:51.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2018-09-17T20:26:11.000Z (over 6 years ago)
• Last Synced: 2025-01-20T22:55:37.798Z (4 months ago)
• Topics: dumb, sql, wtf
• Language: SQLPL
• Size: 617 KB
• Stars: 3
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# WTF.SQL

Description: (see crawl.txt)

Points: 500

Category: Web

Flag: `flag{b3tter_th@n_th3_prequels}`

Solve:

1. robots.txt -> find all routes

1. use verifier route to leak source for all routes, subroutines

1. Template injection

    * can't use `${config_signing_key}` in post directly since it's blacklisted

    * recursive template expansion allows use of `${GET_asdf}`

    * if `?asdf=${config_signing_key}` then it will get interpolated again leaking secret

1. secret is used to sign cookies

1. allows you to change `is_admin`

1. get to admin panel, need to add privileges

1. HLE to add `panel_view` and `panel_create` privs, giving you arbitrary db.table read

1. ggwp

Formatting notes:

* Types

    * Routes should be VARCHAR(255)

    * header, cookie, template, etc. keys should be VARCHAR(255)

    * header, cookie, template, etc. values should be TEXT

    * response is TEXT

* Naming

    * k/v pairs are always `name` `value` (to add to the confusion)