In this challenge we have a Windows box ( you can note this in with Firebird DBMS as backend for the web application. The application has an obvious SQL injection in in “order” parameter on /index.php. Since our injection point is in after a order by without any chance to do an error based injection we have to go blind. In the script below first it gets column from guessed table name USERS, using a kind of “information_schema” of firebird, then it prints its content.

Now that we ha admin credentials we need admin page. Since site is hosted on Windows there is a very interesting trick about how it access files. Infact if you go on ?page=« wierdly it won’t prints out “file doesn’t exists” beacuse ‘«’ is replaced with ‘*’ by WINAPI FindFirstFile().

The code above bruteforce it. Now that we have admin panel just log in with credentials tooked above and get the flag.

nurfed, Razor4x