atomicmaya

AtomicMaya's Blog at the end of the universe.

~$ Advent of Cyber 2022 - Day 16

Posted on Dec. 16th, 2022. | Est. reading time: 2 minutes

Author:

Unknown

Category:

Purple Team: Secure Coding

Link:

TryHackMe

Question 1

What is the value of Flag1?

```php include "connection.php"; $query="select * from users where id=".intval($_GET['id']); $elves_rs=mysqli_query($db,$query); if(!$elves_rs) { echo "Error: Invalid SQL Query"; die($query); } // Get the first result. There should be a single elf here. $elf=mysqli_fetch_assoc($elves_rs); //Now get the toys associated to this elf $query="select * from toys where creator_id=".intval($_GET['id']); $toys_rs=mysqli_query($db,$query); if(!$toys_rs) { echo "Error: Invalid SQL Query"; die($query); } ```

Answer: THM{McCode, Elf McCode}

Question 2

What is the value of Flag2?

```php $query="select * from toys where name like ? or description like ?"; $stmt = mysqli_prepare($db, $query); $q = "%".$_GET['q']."%"; mysqli_stmt_bind_param($stmt, 'ss', $q, $q); mysqli_stmt_execute($stmt); $toys_rs=mysqli_stmt_get_result($stmt); if(!$toys_rs) { echo "Error: Invalid SQL Query"; die($query); } ```

Answer: THM{KodeNRoll}

Question 3

What is the value of Flag3?

```php include "connection.php"; $query="select * from toys where id=".intval($_GET['id']); $toys_rs=mysqli_query($db,$query); if(!$toys_rs) { echo "Error: Invalid SQL Query"; die($query); } // Get the first result. There should be a single elf here. $toy=mysqli_fetch_assoc($toys_rs); //query info on the creator elf $query="select * from users where id=".intval($toy['creator_id']); $elves_rs=mysqli_query($db,$query); if(!$elves_rs) { echo "Error: Invalid SQL Query"; die($query); } // Get the first result. There should be a single elf here. $elf=mysqli_fetch_assoc($elves_rs); //query info on planned deliveries $query="select * from kids where assigned_toy_id=".intval($_GET['id']); $kids_rs=mysqli_query($db,$query); if(!$kids_rs) { echo "Error: Invalid SQL Query"; die($query); } ```

Answer: THM{Are we secure yet?}

Question 4

What is the value of Flag4?

```php if(isset($_POST['username']) && isset($_POST['password'])){ $username=$_POST['username']; $password=$_POST['password']; $query="select * from users where username=? and password=?"; $stmt = mysqli_prepare($db, $query); mysqli_stmt_bind_param($stmt, 'ss', $username, $password); mysqli_stmt_execute($stmt); $users_rs=mysqli_stmt_get_result($stmt); if(mysqli_num_rows($users_rs)>0) { $_SESSION['username']=$username; echo "<script>window.location='admin.php';</script>"; } else { $message="Incorrect username/password found!"; echo "<script type='text/javascript'>alert('$message');</script>"; } } ```

Answer: THM{SQLi_who???}