Wednesday, January 27, 2010

OWASP Challenge 7 Christmas capture flag

I missed this one during Christmas holiday. Anyway, here is the challenge
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=Challenges


The target is http://66.249.7.26. (OWASP should do better next time, at least grabbed a domain name to look more professional)


Step 1: Visit http://66.249.7.26 and the site looks like:

A look at source code reveals these messages within html comment:
Step 2: My first thought is that the bell image might hide something. Several tests showed that assumption is not true. Then, I thought about finding more pages. Wikto did not find anything interesting. DirBuster found some standard documentation pages.

Step 3: Return back to the hidden comment. "Dont forget to leave milk and cookies for santa and his helpers." Cookies! Yes, cookie. I should try cookies. By using Burp, I added a test cookie x=y into the request. The response did have something new:

Noooo noooo noooo - but close!

Now, it is a game of cookie. Burp's repeater is perfect for this.
Cookie: santa=y generates something new:

Hoooo hoooo hoooo!!!

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /var/www/xmas/frontend/index.php on line 95

However "helpers" and "hishelpers" do not have any luck. Maybe, I should use his reindeer's names: Dasher, Dancer, Prancer, Vixen, Comet, Cupid, Donner, Blitzen, Rudolf. None seems to work.

Step 4: So far, we have found one cookie: santa. If we set santa=1, the error message is gone and we have something new:
YToxOntzOjIwOiJCRU5DSE1BUksoMTEsTUQ1KDEpKSI7czoxOiIwIjt9
santa=123 returns:
YToxOntzOjIyOiJCRU5DSE1BUksoMTEyMyxNRDUoMSkpIjtzOjE6IjAiO30=

They look like base64 encoding. Yes. the decoded messages are:
a:1:{s:20:"BENCHMARK(11,MD5(1))";s:1:"0";}
a:1:{s:22:"BENCHMARK(1123,MD5(1))";s:1:"0";}

From the error message in step 3, we already knew that the server is running MySQL and PHP.
According to http://dev.mysql.com/doc/refman/5.0/en/information-functions.html#function_benchmark, BENCHMARK executes the expression for specified time. For example, BENCHMARK(11,MD5(1)) means that the server will run MD5(1) for 11 times. Since our input seems to be used in SQL statement, let's try some SQL injections:

santa=123' generates old error message
santa=234,SHA(1))# does not generate any error message and we get
YToxOntzOjIyOiJCRU5DSE1BUksoMTIzNCxTSEEoMSkpIjtzOjE6IjAiO30=
and it is decoded as a:1:{s:22:"BENCHMARK(1234,SHA(1))";s:1:"0";}

Wow, it seems that we are very likely to be able to conduct SQL injection for the application. That's all for today.









Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)