Guild icon
Project Sekai
🔒 BYUCTF 2023 / ✅-web-urmombotnetdotnetcom-3
Avatar
Sutx BOT 05/19/2023 10:01 AM
urmombotnetdotnet.com 3 - 500 points
Category: Web Description: During my databases class, my group and I decided we'd create a web app with the domain urmombotnetdotnet.com, and wrote the relevant code. At first glance, it looks pretty good! I'd say we were pretty thorough. But were we thorough enough?? Oh... we also forgot to make the front end :) byuctf.xyz:40010 -------------------- What is flag 3? (see byuctf{fakeflag3} in source) (see source from first chall) Files: No files. Tags: Medium
05/19/2023 10:01 AM
Sutx pinned a message to this channel. 05/19/2023 10:01 AM
Avatar
Sutx BOT 05/19/2023 10:02 AM
@Violin wants to collaborate 🤝
10:08
@rubiya wants to collaborate 🤝
10:12
@Legoclones wants to collaborate 🤝
10:12
@jayden wants to collaborate 🤝
Avatar
Sutx BOT 05/19/2023 10:52 AM
@strellic wants to collaborate 🤝
Avatar
strellic 05/19/2023 10:57 AM
hmmm
10:57
cur.execute("SELECT user_id, message FROM support_tickets WHERE ticket_id=%s", (ticket_id))
10:57
thats not a tuple
Avatar
Legoclones 05/19/2023 10:59 AM
uhoh that should be a tuple
10:59
maybe I made a mistake 😬
Avatar
strellic 05/19/2023 11:00 AM
o lol
11:00
yeah im just erroring at that section
Avatar
Legoclones 05/19/2023 11:00 AM
yeah it shouldn't error
11:00
lemme fix
11:03
@strellic does it work now?
Avatar
strellic 05/19/2023 11:04 AM
i think im still getting the same error
11:05
File "/app/ticket_routes.py", line 62, in post_add_message @app.route('/api/tickets/<int:ticket_id>', methods=['POST']) @token_required def post_add_message(session_data, ticket_id): # get user_id from ticket_id cur = mysql.connection.cursor() cur.execute("SELECT user_id, message FROM support_tickets WHERE ticket_id=%s", (ticket_id)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ response = cur.fetchone() cur.close()
Avatar
Legoclones 05/19/2023 11:08 AM
okay now try
11:08
it was cached
Avatar
strellic 05/19/2023 11:09 AM
MySQLdb.ProgrammingError: (1146, "Table 'ctf.support_tickets' doesn't exist")
Avatar
Legoclones 05/19/2023 11:10 AM
😭
11:10
capitalizationnn
11:12
OKAY now I think it should work
Avatar
strellic 05/19/2023 11:13 AM
MySQLdb.OperationalError: (1054, "Unknown column 'message' in 'field list'")
11:13
lmaoo
Avatar
sahuang 05/19/2023 11:14 AM
lmao
Avatar
Legoclones 05/19/2023 11:14 AM
OH MY GOODNESS alright one sec
11:16
okay changed
Avatar
strellic 05/19/2023 11:18 AM
works!
11:18
byuctf{let's_not_even_talk_about_the_newline_injection...}
11:18
but i solved with the same way as 2
Avatar
Avatar
strellic
used /ctf solve
Sutx BOT 05/19/2023 11:18 AM
✅ Challenge solved.
Avatar
Legoclones 05/19/2023 11:19 AM
yeah I knew those 2 would be the same
11:19
which is why I was surprised people didn't get 3 so fast after 2
11:19
turns out it was my fault 😦
Exported 37 message(s)