{"id":394,"date":"2013-04-28T11:37:46","date_gmt":"2013-04-28T18:37:46","guid":{"rendered":"http:\/\/seanmurphree.com\/blog\/?p=394"},"modified":"2013-04-28T11:37:46","modified_gmt":"2013-04-28T18:37:46","slug":"damo-web-security-challenge-iii","status":"publish","type":"post","link":"https:\/\/seanmurphree.com\/blog\/?p=394","title":{"rendered":"Damo Web Security Challenge III"},"content":{"rendered":"<p>In today&#8217;s post, we&#8217;re going to be looking at the 3rd Web Security Challenge by Damo. \u00a0This page can be found <a href=\"http:\/\/damo.clanteam.com\/sch3\">here<\/a>. \u00a0So head on over to the page, and lets get started.<\/p>\n<p>Once there, we can get an idea of what this website does. \u00a0It has a front page, a member&#8217;s list, a member&#8217;s only page, hall of fame, login and register pages. \u00a0We can register and make an account, and if we do, we get a message saying we can post a name to the hall of fame if we&#8217;re an admin. \u00a0Thus, one way to post to the HOF is by getting access to an admin account. \u00a0If we look at the members list, we can see 5 accounts belonging to various admins (with names such as Stallone, Li, etc). \u00a0We can also note this is a php site, and assume there is a DB for holding all the information. \u00a0Thus, let&#8217;s try SQL Injection.<\/p>\n<p>Trying to do injection on the login page doesn&#8217;t provide much feed back. \u00a0However, if we go to the member list page and click on one of the members, we&#8217;re taken to a page that lists their info (<a href=\"http:\/\/damo.clanteam.com\/sch3\/member-info.php?id=1\">http:\/\/damo.clanteam.com\/sch3\/member-info.php?id=1<\/a>). \u00a0From here, if we try to inject a single quote into the id param, we get an SQL error and notice we can inject SQL. \u00a0A hint is also displayed on the page showing a union with 5 fields, one of which is sqlite_version(), thus we can assume the DB is running SQLite.<\/p>\n<p>So, let&#8217;s try adding a union onto the query, but do a union that pulls from the sqlite_master table so that we can start getting some table names and reading through the DB. \u00a0If we hit the point\u00a0<a href=\"http:\/\/damo.clanteam.com\/sch3\/member-info.php?id=9'%20UNION%20ALL%20SELECT%201,2,3,sql,name%20FROM%20sqlite_master%20WHERE%20type='table'--%20--'\">http:\/\/damo.clanteam.com\/sch3\/member-info.php?id=9&#8217;%20UNION%20ALL%20SELECT%201,2,3,sql,name%20FROM%20sqlite_master%20WHERE%20type=&#8217;table&#8217;&#8211;%20&#8211;&#8216;<\/a>\u00a0we see there is a hall_of_fame table. \u00a0Trying to insert into the table directly doesn&#8217;t work (went there, tried that), so let&#8217;s try to find other tables. So let&#8217;s add onto the query an ORDER BY statement and order based on name. \u00a0Doing so returns info on the accounts table, mainly the SQL used to create it:\u00a0CREATE TABLE [accounts] ( [id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [username] TEXT NOT NULL, [password] TEXT NOT NULL )<\/p>\n<p>Now that we know the accounts table holds username\/passwords, we can pick one of the admins from it and get their username\/password! \u00a0<a href=\"http:\/\/damo.clanteam.com\/sch3\/member-info.php?id=9'%20UNION%20ALL%20SELECT%20username,password,1,2,1%20FROM%20accounts;--%20--'\">http:\/\/damo.clanteam.com\/sch3\/member-info.php?id=9&#8217;%20UNION%20ALL%20SELECT%20username,password,1,2,1%20FROM%20accounts;&#8211;%20&#8211;&#8216;<\/a>\u00a0gets us:<a href=\"http:\/\/damo.clanteam.com\/sch3\/member-info.php?id=9'%20UNION%20ALL%20SELECT%20username,password,1,2,1%20FROM%20accounts;insert%20into%20hall_of_fame(id,user,time)%20values%20 \"><br \/>\n<\/a><\/p>\n<p>First Name: stallone<br \/>\nLast Name: PASSWORD_HASH<\/p>\n<p>Now we can take the password hash, throw it in a file and run it through John the Ripper and in less than a second are presented with the password for the stallone account. \u00a0Now we can simply login with the username and password and add our name to the hall of fame!<\/p>\n<p>So What?<\/p>\n<p>SQL Injection is bad, mmmkay. \u00a0Use parameterized queries, or whatever the language you&#8217;re using calls it. \u00a0Don&#8217;t directly concatenate user input into an SQL query via String concatenation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In today&#8217;s post, we&#8217;re going to be looking at the 3rd Web Security Challenge by Damo. \u00a0This page can be found here. \u00a0So head on over to the page, and lets get started. Once there, we can get an idea &hellip; <a href=\"https:\/\/seanmurphree.com\/blog\/?p=394\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/394"}],"collection":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=394"}],"version-history":[{"count":2,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/394\/revisions"}],"predecessor-version":[{"id":396,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/394\/revisions\/396"}],"wp:attachment":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}