~$ Advent of Cyber 2022 - Day 16

Posted on Dec. 16th, 2022. | Est. reading time: 2 minutes

Author:
Unknown
Category:
Purple Team: Secure Coding
Link:

Question 1

What is the value of Flag1?

include "connection.php";


  $query="select * from users where id=".intval($_GET['id']);
  $elves_rs=mysqli_query($db,$query);


  if(!$elves_rs)
  {
    echo "Error: Invalid SQL Query";
    die($query);
  }


  // Get the first result. There should be a single elf here.
  $elf=mysqli_fetch_assoc($elves_rs);


  //Now get the toys associated to this elf
  $query="select * from toys where creator_id=".intval($_GET['id']);
  $toys_rs=mysqli_query($db,$query);


  if(!$toys_rs)
  {
    echo "Error: Invalid SQL Query";
    die($query);
  }
Screenshot of the Flag1 exploitation

Answer: THM{McCode, Elf McCode}

Question 2

What is the value of Flag2?

$query="select * from toys where name like ? or description like ?";
$stmt = mysqli_prepare($db, $query);
$q = "%".$_GET['q']."%";
mysqli_stmt_bind_param($stmt, 'ss', $q, $q);
mysqli_stmt_execute($stmt);
$toys_rs=mysqli_stmt_get_result($stmt);


if(!$toys_rs)
{
  echo "Error: Invalid SQL Query";
  die($query);
}
Screenshot of the Flag2 exploitation

Answer: THM{KodeNRoll}

Question 3

What is the value of Flag3?

include "connection.php";


$query="select * from toys where id=".intval($_GET['id']);
$toys_rs=mysqli_query($db,$query);


if(!$toys_rs)
{
  echo "Error: Invalid SQL Query";
  die($query);
}


// Get the first result. There should be a single elf here.
$toy=mysqli_fetch_assoc($toys_rs);


//query info on the creator elf
$query="select * from users where id=".intval($toy['creator_id']);
$elves_rs=mysqli_query($db,$query);


if(!$elves_rs)
{
  echo "Error: Invalid SQL Query";
  die($query);
}


// Get the first result. There should be a single elf here.
$elf=mysqli_fetch_assoc($elves_rs);


//query info on planned deliveries
$query="select * from kids where assigned_toy_id=".intval($_GET['id']);
$kids_rs=mysqli_query($db,$query);


if(!$kids_rs)
{
  echo "Error: Invalid SQL Query";
  die($query);
}
Screenshot of the Flag3 exploitation

Answer: THM{Are we secure yet?}

Question 4

What is the value of Flag4?

if(isset($_POST['username']) && isset($_POST['password'])){
  $username=$_POST['username'];
  $password=$_POST['password'];
  $query="select * from users where username=? and password=?";
  $stmt = mysqli_prepare($db, $query);
  mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
  mysqli_stmt_execute($stmt);
  $users_rs=mysqli_stmt_get_result($stmt);


  if(mysqli_num_rows($users_rs)>0)
  {
    $_SESSION['username']=$username;
    echo "<script>window.location='admin.php';</script>";
  }
  else
  {
    $message="Incorrect username/password found!";
    echo "<script type='text/javascript'>alert('$message');</script>";
  }
}
Screenshot of the Flag4 exploitation

Answer: THM{SQLi_who???}