SECCON 2016 – uncomfortable web (web300)


Decription:
Attack to http://127.0.0.1:81/authed/ through the uploaded script at http://uncomfortableweb.pwn.seccon.jp/.
Get the flag in the database!

Firstly, we know it allow us to upload and run a script written by perl, python and shell
Of course, We need to attack to http://127.0.0.1:81/authed/
Let try with curl and something happen
1
And we have list of file and folder:
authed/
select.cgi
also try something with select.cgi
2
A get method from with the name “txt” and some values is “a”,”b”.
3
Something happen, I guess it is a.txt because the name of the post
4
Try to read some important file like “.htaccess”
5
We get something interesting

AuthUserFile /var/www/html-inner/authed/.htpasswd
AuthGroupFile /dev/null
AuthName “SECCON 2016”
AuthType Basic
Require user keigo

So, let try to get authed from .htpasswd
6
keigo:LdnoMJCeVy.SE
Best, try to decrypt password we get “test”
1
Then access to authed/
7
Then it show us a list of file and folder:

a.txt
b.txt
c.txt
sqlinj/

8
Yup, more and more file: [1-100].cgi
in each file, it give me a get method with the name “no” and value is “4822267938”
Note: Get the flag in the database!
we need to try injection with list of file with payload: curl -u keigo:test “localhost:81/authed/sqlinj/[1-100].cgi?no=4822267939-1”
9
OK not found anything, “4822267938” may be a string but not number
Try to inject it with quote, payload is: curl -u keigo:test “localhost:81/authed/sqlinj/[1-100].cgi?no=a’or’1’like’1′–”
10
And found injection in 72.cgi
Yup let take a quiz with sql injection
btw, I think it blacklist (,) and space, let bypass it use comment /**/
And easy to find table_name
12
So easy to find flag
13

flag: SECCON{I want to eventually make a CGC web edition… someday…}

Advertisements

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất / Thay đổi )

Connecting to %s