Find out Squirrel Master's password!
http://chalf.hkcert21.pwnable.hk:28062/
This is a easy web challenge on SQL injection, which is a common vulnerability, especially in old applications. It is expected that experienced player / pentester can solve it within 5 min, but if you're new to this game, read on!
To find out abnormalities (bugs / vulnerabilities) in a web application, you need to first understand its behavior under normal usage. Visit the homepage (http://chalf.hkcert21.pwnable.hk:28062/) and you will see a cute squirrels saying hi to you, with a big button to Join the community. Other links in the webpage are either out of scope (not in the same website), or not simply functioning. So lets click that button.
In the SquirrelChat application, we can see there are two function: Login and Register. After registering an account and login to the application, we can see that there are additional function Chatroom and Logout, with lengthy (but not helpful) text on the homepage.
Click into chatroom, you can see a textbox allowing you to send message to the channel. Try send something!
[?1]: There are two more function in the application, can you find them out?
You should already know the content in this section if you're familiar with the web.
Similar to most of the website in the world, the site you're visiting contains two parts: client and server. The server 'serves' you by processing your request and providing webpage, images, videos etc for your browser. The client is your web browser, which send requests to server and display the response on your screen.
[?2]: What is your browser software, and what is the server software?
?: Google "What is my browser", "How to find out website server software"
When you send a message, your browser will send a request to the server chalf.hkcert21.pwnable.hk:28062, with your chat message and other input values. The server will process your message and show it on every user's webpage as output.
[?3]: What are the input when you send a message in SquirrelChat?
Path and Query string are examples of the input to websites. When you do a Google search, you can notice the web browser address bar will contain an URL (web address):
| https://www.google.com/search?q=What+is+query+string |
| ^ ^ ^ |
| Server Path Query string |
www.google.com/searchq=What+is+query+string[?4]: What does
+means in query string??: Google it:
what does plus means in query string
[?5]: Can you change the above Google URL to search something else? Test with your web browser.
[?6]: Send an message in the SquirrelChat chat room, then click on your own name. Can you identify the
pathandquery stringfrom your browser's address bar?
As mentioned, the SquirrelChat application has a SQL injection vulnerability. The application uses SQL to store and retrieve your account details and channel messages in the server, and there are incorrect handling of user input when it construct the SQL query. Therefore it is possible to change the website behavior and leak flags from the server.
[?7]: In [?6], you have identified the query string of the URL. What does the numbers mean in the query string? Try changing it and see how the application behaves.
The SquirrelChat application construct the SQL query like this
SELECT * FROM users WHERE id={{Your Input}}
In the above SQL query, {{Your Input}} is replaced with the id provided in the query string. In plain English, this SQL query will SELECT (retrieve) users information, where the user id equals to your input in the query string.
So if you visit
http://chalf.hkcert21.pwnable.hk:28062/chat/user?id=123
The query will become:
SELECT * FROM users WHERE id=123
Which show the user information whose id equals to 123. This code snippet looks completely innocent, but it is vulnerable to the deadly SQL injection vulnerability.
Let's lookup what is SQL injection vulnerability. Google what is sql injection ctf and you can find this webpage as the top result.
[?8]: You got all the pieces to tackle this challenge. Can you exploit the SQL injection vulnerability without looking at the answer below?
If we are able to change the SQL query to following:
SELECT * FROM users WHERE id=123 OR true
By visiting profile of user 123, we know that the user does not exists (i.e. id=123 is False). By appending OR true to the query, we changed the outcome to True regardless what is provided as id, therefore the system will return EVERY user in the system, including our target: Squirrel Master's account. Recall your Math lessons:
OR Truth Table
+-----+-----+--------+
| A | B | A OR B |
+-----+-----+--------+
| T | T | T |
| T | F | T |
| F | T | T | <--- We are here
| F | F | F |
+-----+-----+--------+
[?9]: Can we construct the query string (input to the webpage) such that the application will run the above SQL query?
As you have answered in [?4], we have to change spaces into plus sign (+) in the query string. Therefore, you can send the query string as id=123+OR+true and get your flag.
+ sign has a semantic meaning in the query string. It is used to represent a space. https://stackoverflow.com/a/6855723| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
Immaculate Heart of Mary College |
