Rating:
# 角落生物 1
## Description
Find out Squirrel Master's password!
http://chalf.hkcert21.pwnable.hk:28062/
---
### Walkthrough
This is a easy web challenge on **SQL injection**, which is a [common vulnerability](https://owasp.org/www-project-top-ten/2017/A1_2017-Injection), especially in old applications. It is expected that experienced player / pentester can solve it within 5 min, but if you're new to this game, read on!
#### Understanding the application
To find out abnormalities (bugs / vulnerabilities) in a web application, you need to first understand its behavior under normal usage. Visit the homepage (http://chalf.hkcert21.pwnable.hk:28062/) and you will see a cute squirrels saying hi to you, with a big button to *Join the community*. Other links in the webpage are either out of scope (not in the same website), or not simply functioning. So lets click that button.
In the SquirrelChat application, we can see there are two function: `Login` and `Register`. After registering an account and login to the application, we can see that there are additional function `Chatroom` and `Logout`, with lengthy (but not helpful) text on the homepage.
Click into `chatroom`, you can see a textbox allowing you to send message to the channel. Try send something!
> \[?1\]: There are two more function in the application, can you find them out?
#### How the web works
You should already know the content in this section if you're familiar with the web.
##### Client and server model
Similar to most of the website in the world, the site you're visiting contains two parts: `client` and `server`. The `server` 'serves' you by processing your `request` and providing webpage, images, videos etc for your browser. The `client` is your web browser, which send requests to `server` and display the response on your screen.
> \[?2\]: What is your browser software, and what is the server software?
>
> ?: Google "What is my browser", "How to find out website server software"
##### Input - Process - Output
When you send a message, your browser will send a request to the server `chalf.hkcert21.pwnable.hk:28062`, with your chat message and other **input** values. The server will **process** your message and show it on every user's webpage as **output**.
> \[?3\]: What are the input when you send a message in SquirrelChat?
##### Path and Query string
Path and *Query string* are examples of the `input` to websites. When you do a Google search, you can notice the web browser address bar will contain an URL (web address):
```
| https://www.google.com/search?q=What+is+query+string |
| ^ ^ ^ |
| Server Path Query string |
```
- Server: `www.google.com`
- Path: `/search`
- Query string: `q=What+is+query+string`
> \[?4\]: What does `+` means in query string?
>
> ?: Google it: `what does plus means in query string`
> \[?5\]: Can you change the above Google URL to search something else? Test with your web browser.
> \[?6\]: Send an message in the SquirrelChat chat room, then click on your own name. Can you identify the `path` and `query string` from your browser's address bar?
#### SQL in SquirrelChat
As mentioned, the **Sq**uirre**l**Chat application has a SQL injection vulnerability. The application uses SQL to store and retrieve your account details and channel messages in the server, and there are incorrect handling of user input when it construct the SQL query. Therefore it is possible to change the website behavior and leak flags from the server.
> \[?7\]: In \[?6\], you have identified the query string of the URL. What does the numbers mean in the query string? Try changing it and see how the application behaves.
The SquirrelChat application construct the SQL query like this
```sql
SELECT * FROM users WHERE id={{Your Input}}
```
In the above SQL query, `{{Your Input}}` is replaced with the `id` provided in the query string. In plain English, this SQL query will `SELECT` (retrieve) users information, where the user `id` equals to your input in the query string.
So if you visit
```
http://chalf.hkcert21.pwnable.hk:28062/chat/user?id=123
```
The query will become:
```sql
SELECT * FROM users WHERE id=123
```
Which show the user information whose `id` equals to `123`. This code snippet looks completely innocent, but it is vulnerable to the deadly SQL injection vulnerability.
Let's lookup what is SQL injection vulnerability. Google `what is sql injection ctf` and you can find this [webpage](https://ctf101.org/web-exploitation/sql-injection/what-is-sql-injection) as the top result.
> \[?8\]: You got all the pieces to tackle this challenge. Can you exploit the SQL injection vulnerability without looking at the answer below?
#### Exploiting the SQL injection vulnerability
If we are able to change the SQL query to following:
```sql
SELECT * FROM users WHERE id=123 OR true
```
By visiting [profile of user 123](http://chalf.hkcert21.pwnable.hk:28062/chat/user?id=123), we know that the user does not exists (i.e. `id=123` is False). By appending `OR true` to the query, we changed the outcome to True regardless what is provided as `id`, therefore the system will return EVERY user in the system, including our target: Squirrel Master's account. Recall your Math lessons:
```
OR Truth Table
+-----+-----+--------+
| A | B | A OR B |
+-----+-----+--------+
| T | T | T |
| T | F | T |
| F | T | T | <--- We are here
| F | F | F |
+-----+-----+--------+
```
> \[?9\]: Can we construct the query string (input to the webpage) such that the application will run the above SQL query?
As you have answered in \[?4\], we have to change spaces into plus sign (`+`) in the query string. Therefore, you can send the query string as `id=123+OR+true` and get your flag.
#### Suggested Answers
##### \[?1\]
- Change channel
- View user details
##### \[?2\]
- Your browser: https://www.whatismybrowser.com/
- Server software: https://iplocation.io/website-server-software/
##### \[?3\]
- Your user account (cookies) such that the application can show your name along with your message
- Channel name (as in the URL)
- Message
- (There are much more...)
##### \[?4\]
- `+` sign has a semantic meaning in the query string. It is used to represent a space. https://stackoverflow.com/a/6855723
## Writeup
Basic SQL Injection, by the walkthrough, we know the SQL statement is build like
```sql
SELECT * FROM users WHERE id={{Your Input}}
```
where the `id` is from the query string of the URL, as mentioned in the guiding question. From guide question 9, we got `id=123+OR+TRUE` (123 can be replaced with any number within 1 to 20 length long).
Therefore, if we visit http://chalf.hkcert21.pwnable.hk:28062/chat/user?id=123+OR+TRUE gives you the info of SquirrelMaster's account and also returns you the flag.
## Flag
`hkcert21{squirrels-or-1-or-2-or-3-and-you}`
