A disturbing lack of taste. Just another WordPress site

16Jan/142

Hack you 2014 – Web300 Writeup

In this challenge we have a Windows box ( you can note this in http://hackyou2014tasks.ctf.su:30080/phpinfo.php) with Firebird DBMS as backend for the web application. The application has an obvious SQL injection in in "order" parameter on /index.php. Since our injection point is in after a order by without any chance to do an error based injection we have to go blind. In the script below first it gets column from guessed table name USERS, using a kind of "information_schema" of firebird, then it prints its content.

http://pastebin.com/HLZdv0iv

Now that we ha admin credentials we need admin page. Since site is hosted on Windows there is a very interesting trick about how it access files. Infact if you go on ?page=<< wierdly it won't prints out "file doesn't exists" beacuse '<<' is replaced with '*' by WINAPI FindFirstFile().

http://pastebin.com/Pja2h3D9

The code above bruteforce it. Now that we have admin panel just log in with credentials tooked above and get the flag.

nurfed, Razor4x

 

Comments (2) Trackbacks (0)
  1. How did you figure out it was Firebird in the first place? Was it by excluding MySQL and sqlite due to lack of the`LIMIT` statement?

    • Well, if you look at phpinfo it has driver installed for Firebird and also the challenge name “Angry Bird” hinted this way. But if you want a sure way just do a select from a system database like “rdb$relation_fields”.


Leave a comment

No trackbacks yet.