Writeup: Advent of Cyber 4 Day 16 - AtomicMaya/knowledge-base GitHub Wiki
Link: Advent Of Cyber 4 on TryHackMe
What is the value of Flag1?
include "connection.php";
$query="select * from users where id=".intval($_GET['id']);
$elves_rs=mysqli_query($db,$query);
if(!$elves_rs)
{
echo "<font color=red size=10>Error: Invalid SQL Query</font>";
die($query);
}
// Get the first result. There should be a single elf here.
$elf=mysqli_fetch_assoc($elves_rs);
//Now get the toys associated to this elf
$query="select * from toys where creator_id=".intval($_GET['id']);
$toys_rs=mysqli_query($db,$query);
if(!$toys_rs)
{
echo "<font color=red size=10>Error: Invalid SQL Query</font>";
die($query);
}
Answer: THM{McCode, Elf McCode}
What is the value of Flag2?
$query="select * from toys where name like ? or description like ?";
$stmt = mysqli_prepare($db, $query);
$q = "%".$_GET['q']."%";
mysqli_stmt_bind_param($stmt, 'ss', $q, $q);
mysqli_stmt_execute($stmt);
$toys_rs=mysqli_stmt_get_result($stmt);
if(!$toys_rs)
{
echo "<font color=red size=10>Error: Invalid SQL Query</font>";
die($query);
}
Answer: THM{KodeNRoll}
What is the value of Flag3?
include "connection.php";
$query="select * from toys where id=".intval($_GET['id']);
$toys_rs=mysqli_query($db,$query);
if(!$toys_rs)
{
echo "<font color=red size=10>Error: Invalid SQL Query</font>";
die($query);
}
// Get the first result. There should be a single elf here.
$toy=mysqli_fetch_assoc($toys_rs);
//query info on the creator elf
$query="select * from users where id=".intval($toy['creator_id']);
$elves_rs=mysqli_query($db,$query);
if(!$elves_rs)
{
echo "<font color=red size=10>Error: Invalid SQL Query</font>";
die($query);
}
// Get the first result. There should be a single elf here.
$elf=mysqli_fetch_assoc($elves_rs);
//query info on planned deliveries
$query="select * from kids where assigned_toy_id=".intval($_GET['id']);
$kids_rs=mysqli_query($db,$query);
if(!$kids_rs)
{
echo "<font color=red size=10>Error: Invalid SQL Query</font>";
die($query);
}
Answer: THM{Are we secure yet?}
What is the value of Flag4?
if(isset($_POST['username']) && isset($_POST['password'])){
$username=$_POST['username'];
$password=$_POST['password'];
$query="select * from users where username=? and password=?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
mysqli_stmt_execute($stmt);
$users_rs=mysqli_stmt_get_result($stmt);
if(mysqli_num_rows($users_rs)>0)
{
$_SESSION['username']=$username;
echo "<script>window.location='admin.php';</script>";
}
else
{
$message="Incorrect username/password found!";
echo "<script type='text/javascript'>alert('$message');</script>";
}
}
Answer: THM{SQLi_who???}