- #DECRYPTION SQLI DUMPER FULL#
- #DECRYPTION SQLI DUMPER REGISTRATION#
- #DECRYPTION SQLI DUMPER PASSWORD#
Select * from users where username='admin'–' and password='xxx' If the attacker knows the username of the application administrator is admin, he can log in as admin without supplying any password. The actual output is the following $ perl omg.Select * from users where username='admin' and password='admin123′ Thank you Perl! Believe it or not, but given this program use Data:: Dumper = ( 'a', 'b', 'c' ) For instance, if we request ?error=a&error=b&error=cīy printing $cgi->param('error') we obtain the list ('a', 'b', 'c'). If we provide to the application multiple GET parameters with the same name, instead of saving only the first value as found in the HTTP request, Perl makes a list out of them. private/config.ini configuration file (which is not readable via the SQLi due to missing permissions) and obtain the flag.īut ehy, Perl is such a messy language :) Thanks to a brilliant talk given by Netanel Rubin at the 31th Chaos Communication Congress, we managed to discover some tricks needed to include arbitrary files and solve the challenge. While ( my $ref = $sth_select -> fetchrow_hashref ()) ) is used nowhere in the code... It should be clear that if we were able to print arbitrary contents from the filesystem we could just dump the. Your account has to be activated by an admin.' $sth_insert -> execute ( $path, $user_id, get_hash ( $password )) My $sth_insert = $dbh -> prepare ( "INSERT INTO accounts (path, user_id, pass, activated) VALUES (?, ?, ?, false)" ) Return "Could not execute database query." If ( $#data6 prepare ( "SELECT * FROM accounts WHERE user_id = '". My $dbh = DBI -> connect ( 'DBI:mysql:database=ctf', 'ctf', $cfg -> val ( 'Database', 'Password' )) My $cfg = Config:: IniFiles -> new ( - file => "./private/config.ini" ) Use Crypt::Eksblowfish:: Bcrypt qw(bcrypt_hash)
#DECRYPTION SQLI DUMPER FULL#
The full source code of the application is depicted below: #!/usr/bin/perl The source code location has been recovered by dumping the lighttp webserver configuration file found in /etc/lighttp/nf.
![decryption sqli dumper decryption sqli dumper](https://static.wixstatic.com/media/28febd_1bb8e60af9fd4e0baccf26a0d2b5edf2~mv2.png)
Some statements and brackets were repeated to bypass a simple SQL injection filter. Indeed, we were able to dump the sources by providing the following payload as email address within the uploaded key: 0 $ gpg -list-packets marco_dump.pub | grep 'user ID' Since there are no activated accounts, our aim is to access the website source code to look for other vulnerabilities which may lead to file inclusion or remote command execution. Exploitation - Step 1: SQLiĪfter some attempts, we noticed that the email field of the public PGP key can be exploited to cause a SQL injection in the application backend.
#DECRYPTION SQLI DUMPER PASSWORD#
If we try to submit that email / password combination, the website kindly refuses to proceed by printing Wrong login data or deactivated account. Your account has to be activated by an admin.Īs this sentence suggests, it is not possible to authenticate to the system using these credentials. The message printed by the website, after decryption, is the following: Hello here is your password: rZuwrXMhelUFe7kPIRgkVSM6arveii. Subpkt 16 len 8 (issuer key ID 4F016C493CD7F95F ) :signature packet: algo 17, keyid 4F016C493CD7F95F By decrypting the text it is now possible to recover the random password associated with the email address specified in the public key.Īs an example, we create a PGP keypair for the user ID 0 $ gpg -list-packets marco.pub Once the upload is completed, the website renders a message encrypted with the provided key.
#DECRYPTION SQLI DUMPER REGISTRATION#
Registration can be accomplished simply by submitting a valid public PGP key. This so-called super modern web application (spoiler alert: don’t laugh, it’s written in perl) allows students to either register or login.
![decryption sqli dumper decryption sqli dumper](https://miro.medium.com/max/1200/1*8_WyjsXGCnUu8mymMyo8RA.png)
To solve this he writes a super modern, highly encrypted web application to share the password with authorized users. Eista Hax has employees who need access as well. He is very happy with the system, but it does have one drawback: it does not support multiple users. Eista Hax uses a digital tool to manage all his students.