{"id":397,"date":"2013-04-28T12:17:18","date_gmt":"2013-04-28T19:17:18","guid":{"rendered":"http:\/\/seanmurphree.com\/blog\/?p=397"},"modified":"2013-04-28T12:17:18","modified_gmt":"2013-04-28T19:17:18","slug":"damo-web-security-challenge-vi","status":"publish","type":"post","link":"https:\/\/seanmurphree.com\/blog\/?p=397","title":{"rendered":"Damo Web Security Challenge VI"},"content":{"rendered":"<p>In today&#8217;s post, we&#8217;re going to be looking at the Damo Security Challenges, specifically Challenge VI. \u00a0This page can be found <a href=\"http:\/\/damo.clanteam.com\/sch6\/\">here<\/a>. \u00a0Let&#8217;s head over to the page and get started.<\/p>\n<p>Once at the page, we can see the familiar layout of a Member&#8217;s List, Member&#8217;s Only page, Hall of Fame, Login and Register. \u00a0If we register and login, we are again presented with a message saying we can add a user to the Hall of Fame if we are an admin. \u00a0Another thing to note, is if we log in, on the login page, there is a button for &#8220;remember me&#8221;.<\/p>\n<p>If we have remember me turned on, we can look at the cookies that are saved on our side. \u00a0There are two cookie values saved, one for username and one for password. \u00a0We can also see the values for these cookies end in %3D, which is an equals sign. \u00a0This gives us reason to believe it&#8217;s padding from base64 encoding. \u00a0Thus, we can use a small php snippet to verify. \u00a0Running &lt;?php $str=&#8217;VALUE_OF_USERNAME_FROM_COOKIE&#8217;; echo base64_decode($str); ?&gt; returns our username. \u00a0Doing the same with the password returns our password. \u00a0Thus, we can assume these are used on the server.<\/p>\n<p>The first attack is to try and replace our username cookie with the value which would be expected if we were logged in as admin, so use a php snippet to get &#8216;admin&#8217; base64_encoded &lt;?php $str=&#8217;admin&#8217;; echo base64_encode($str);?&gt; and put that into the username cookie and try to submit our name to the hall of fame. \u00a0This doesn&#8217;t work, and we&#8217;re told we have to be admin.<\/p>\n<p>The next attack is a little trickier and involves SQL Injection. \u00a0First, let&#8217;s think about what happens when a name is submitted to the Hall of Fame. \u00a0Since a username and password are supplied as well, we can assume the php script checks if there is at least one matching user for the username and password, and if the username is admin. \u00a0If so, the submitted name is added to the Hall of Fame. \u00a0So, if we can do SQL Injection and return at least one match, we should get added to the hall of fame. \u00a0So, let&#8217;s think about the SQLi we want. \u00a0The injection can be in the password and return true, thus the basic sqli works: ourpassword&#8217; or &#8216;1&#8217;=&#8217;1 \u00a0However, to get this into the sqli, we have to base64 encode it and submit it as our cookie value for the password. \u00a0So again, php &lt;?php $str = &#8216;something\\&#8217; or \\&#8217;1\\&#8217;=\\&#8217;1&#8242;; echo base64_encode($str); ?&gt;. \u00a0Now we submit the previously calculated value for &#8216;admin&#8217; as our username and this SQLi value as our password via cookies when we try to add a name to the hall of fame. \u00a0If done correctly, our name gets added. \ud83d\ude42 \u00a0YAY!<\/p>\n<p>So What?<\/p>\n<p>SQL Injection, it&#8217;s not just for query strings. \u00a0Injection vulns come from any place where users can provide input, regardless of if it is in a query string, a post body, a cookie value, an AJAX request, if it comes from the user&#8217;s computer, it can result in injection. \u00a0Also, base64 isn&#8217;t encryption, it&#8217;s encoding, so anyone can do it and thus it doesn&#8217;t provide any safety in this context. \u00a0If you want to put a cookie on a user&#8217;s computer, encrypt it with encryption with a private key such that the user cannot create a correctly encrypted string.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In today&#8217;s post, we&#8217;re going to be looking at the Damo Security Challenges, specifically Challenge VI. \u00a0This page can be found here. \u00a0Let&#8217;s head over to the page and get started. Once at the page, we can see the familiar &hellip; <a href=\"https:\/\/seanmurphree.com\/blog\/?p=397\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/397"}],"collection":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=397"}],"version-history":[{"count":2,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/397\/revisions"}],"predecessor-version":[{"id":399,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/397\/revisions\/399"}],"wp:attachment":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}