Wednesday, December 31, 2014

31c3ctf - Web - 5chan

"Hint: 5CHAN? never heard of this image board, but they have exactly what we need, the picture we're looking for is not for public, so can you get it?"


http://188.40.18.89/





Registration was disabled.




I checked to see if the images were directly linked. If so, then we could potentially browse to the image by guessing the filename. By right clicking on the image and selecting inspect image (using Chrome), we find that they're using the data uri to pass the image in a base64 encoded format. It's likely then that the images are stored in a database.




Going back to the hint, I hypothesize that the image could be else where on this site, but not directly accessible from the home page. The simplest method for finding "private" files is examining the robots.txt, and its here we get our first clue.




At http://188.40.18.89/.OurBackupz/ we find backup-data-23.12.2014.tar.bz2 and db.sql.



I check db.sql first because passwords.



Hashes were stripped, but we have several clues in this file. First the table structure for the pictures is as follows:

id int(5), title varchar(255), name varchar(255), desc text, level int(5)

desc is short for description, but level is the odd field here. Looking at the values, we see level is 1, except for flag.txt which is 2. Obviously this is an important piece.

Looking over the users table, this too has a level field, but all the users are set to 0. No obvious super-user account, but note that there are no users with id's less than 3. Possibly an indication that the admin accounts have been stripped as well.

Downloading the backup tar file and decompressing it, we find several php files, the most interesting one for our purposes is __pages/__pic.php. I notice two things in this file. First is the location of the images:

echo '<img src="data:image/png;base64,'.base64_encode(file_get_contents("../imgs/".$data['name'])).'" />';

Second, is the SQL query for selecting which image to display.

$request="SELECT * FROM pictures WHERE level<=$access AND id=".mysqli_real_escape_string($con,@$_GET['id']." LIMIT 0,1");

If this doesn't make any sense, or if SQL isn't your thing in general. I really enjoyed learning SQL from SQLzoo

This will be our final clue, even more of a red flag is the "string" escape of a numeric value. You can string escape the numeric value all day long. With numeric values we don't need to use single tick escapes.

http://188.40.18.89/?page=pic&id=9%20or%20id=9

and...



The LIMIT 0,1 might through people off, but basically we need to ensure our first part of SQL statement returned nothing, otherwise only the first image would be returned. For example, if we did a slightly different SQL injection http://188.40.18.89/?page=pic&id=1%20or%20id=9


No comments:

Post a Comment