In today’s post, we’re going to be looking at the 3rd Web Security Challenge by Damo. This page can be found here. So head on over to the page, and lets get started.
Once there, we can get an idea of what this website does. It has a front page, a member’s list, a member’s only page, hall of fame, login and register pages. We can register and make an account, and if we do, we get a message saying we can post a name to the hall of fame if we’re an admin. Thus, one way to post to the HOF is by getting access to an admin account. If we look at the members list, we can see 5 accounts belonging to various admins (with names such as Stallone, Li, etc). We can also note this is a php site, and assume there is a DB for holding all the information. Thus, let’s try SQL Injection.
Trying to do injection on the login page doesn’t provide much feed back. However, if we go to the member list page and click on one of the members, we’re taken to a page that lists their info (http://damo.clanteam.com/sch3/member-info.php?id=1). From here, if we try to inject a single quote into the id param, we get an SQL error and notice we can inject SQL. A hint is also displayed on the page showing a union with 5 fields, one of which is sqlite_version(), thus we can assume the DB is running SQLite.
So, let’s try adding a union onto the query, but do a union that pulls from the sqlite_master table so that we can start getting some table names and reading through the DB. If we hit the point http://damo.clanteam.com/sch3/member-info.php?id=9’%20UNION%20ALL%20SELECT%201,2,3,sql,name%20FROM%20sqlite_master%20WHERE%20type=’table’–%20–‘ we see there is a hall_of_fame table. Trying to insert into the table directly doesn’t work (went there, tried that), so let’s try to find other tables. So let’s add onto the query an ORDER BY statement and order based on name. Doing so returns info on the accounts table, mainly the SQL used to create it: CREATE TABLE [accounts] ( [id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [username] TEXT NOT NULL, [password] TEXT NOT NULL )
Now that we know the accounts table holds username/passwords, we can pick one of the admins from it and get their username/password! http://damo.clanteam.com/sch3/member-info.php?id=9’%20UNION%20ALL%20SELECT%20username,password,1,2,1%20FROM%20accounts;–%20–‘ gets us:
First Name: stallone
Last Name: PASSWORD_HASH
Now we can take the password hash, throw it in a file and run it through John the Ripper and in less than a second are presented with the password for the stallone account. Now we can simply login with the username and password and add our name to the hall of fame!
So What?
SQL Injection is bad, mmmkay. Use parameterized queries, or whatever the language you’re using calls it. Don’t directly concatenate user input into an SQL query via String concatenation.