WTF.SQL

Description: (see crawl.txt) Points: 500 Category: Web Flag: flag{b3tter_th@n_th3_prequels}

Solve:

robots.txt -> find all routes
use verifier route to leak source for all routes, subroutines
Template injection
- can't use ${config_signing_key} in post directly since it's blacklisted
- recursive template expansion allows use of ${GET_asdf}
- if ?asdf=${config_signing_key} then it will get interpolated again leaking secret
secret is used to sign cookies
allows you to change is_admin
get to admin panel, need to add privileges
HLE to add panel_view and panel_create privs, giving you arbitrary db.table read
ggwp

Formatting notes:

Types
- Routes should be VARCHAR(255)
- header, cookie, template, etc. keys should be VARCHAR(255)
- header, cookie, template, etc. values should be TEXT
- response is TEXT
Naming
- k/v pairs are always name value (to add to the confusion)

Name		Name	Last commit message	Last commit date
Latest commit History 63 Commits
components		components
static		static
templates		templates
.gitignore		.gitignore
Dockerfile		Dockerfile
README.md		README.md
build.sh		build.sh
crawl.txt		crawl.txt
generate_static.py		generate_static.py
generate_templates.py		generate_templates.py
kill.sh		kill.sh
makefile		makefile
reload.sh		reload.sh
run.sh		run.sh
server.py		server.py
start.sh		start.sh

kallsyms/wtf_sql