Keith and Dawg 6 Solution
by Soumil Mukherjee and Jason Yang
FLAG: 814213eb444efc2eb8116b0f3b224f2c
Keith and Dawg 6 was a problem that was meant to be solved with SQL Injection. However, there were a number of red herrings on the website. For example, the website was susceptible to cross-site-scripting (XSS), although this was not the right approach to solve it. In addition, there were a number of files stored in the database, including three reports on Agent Jakob Degen, stored in shadyjdawg's account, but the files did not contain any hints regarding the password - the only purpose they served was to test the validity of attempted injections.
Unlike most questions involving SQL injection, this problem cannot be solved simply by injecting code into any individual form - each form by itself is escaped and cannot be injected, for the most part. Specifically, the "Login", "Register", and "Change Username" forms are all executed using PHP's prepared statements, which prevents SQL injection. The last form, a search form on the Files page, is slightly different. In particular, it escapes the form input (the search parameters), but, when checking the username, it does not escape injected SQL code. Upon opening the "Files" page, PHP executes the following code to display all files:
$query = 'SELECT file FROM files WHERE username = "'.$username . '"';
$result = $dbc->query($query);
The PHP code for searching for specific files looks like:
$query = 'SELECT file FROM files WHERE file LIKE ? AND username = "'.$username.'"';
$result = $dbc->prepare($query);
$q1 = "%".$_GET["q"]."%";
$result->bind_param("s", $q1);
So, the simplest way to inject SQL code into this query is by setting one's username to an SQL query (most likely through the "Change Username" form, unless you happened to guess the PHP code before signing up). The form will submit without any errors, since the form is prepared. Then, upon opening the "Files" page, the injected SQL code works as expected. Although there are many possible usernames that would extract the required information, one example that displays all of shadyjdawg's files, as well as his password, is:
shadyjdawg" UNION SELECT password FROM users WHERE username = "shadyjdawg"; --
Note that, since MySQL is used for this website, stacked queries do not execute. Also, ensure that there is a space after the -- in the username, since -- only comments the remainder of the line if there is a whitespace character after the --.
Using the above username, the following query would be executed upon loading the "Files" page.
SELECT file FROM files WHERE username = "shadyjdawg" UNION SELECT password FROM users WHERE username = "shadyjdawg"; -- "
So, all of shadyjdawg's files would be displayed, followed by shadyjdawg's password ("the flag is: 814213eb444efc2eb8116b0f3b224f2c").