CrySyS Novice Group - Sorting Fruits writeup (1)
This task was given as homework in the CrySyS Novice Group. It was under the “Shop of Quality Lime (and other fruits)” group and was worth 50 points (first level).
Description: This is the first version of our website. We believe it is absolutely secure, but you can prove us wrong.
I’ve got an address (let’s say it was http://someaddress.com), and on that site there was a table like this:
|4||Potato||For french fries||40|
|6||Secrets||are in an other table||100|
In this table the items are organised by their id, if I clicked on any other category they were reordered with respect to the category I clicked. To tell the web server which order is chosen a GET request was sent where an ‘order’ variable was defined, for example if ‘id’ was chosen it looked like this:
So I quickly checked for the possibility of an SQL injection by adding an extra apostrophe at the end of the address like this:
This caused the following warning message:
Now I know that SQL injection might be possible since the input is clearly not handled properly. There is a hint on the site which says that Secrets are in an other table, so we need to find that table and than dump its data.
For this job I used sqlmap. To dump the names of the databases I typed in the following (the --threads argument is optional, it just makes it much faster):
This gave me the usual mysql databases plus an extra one called test.
Now I needed to find out the names of the tables in the test database.
I got this:
And finally I dumped the data of the secret table.
And here it is, we got our flag.
To read about the next level click here: Sorting Encrypted Fruits