Thu, Jan 07, 21
Welcome back to my walkthrough of hackthissite.org’s CTF missions. I will be going through my thought process of how I solved these missions, and therefore also giving away the solutions. If you came across this to give you hints, watch out for spoilers! Good luck, have fun.
Our next realistic mission is to retrieve a mailing list that is held on their servers. Sounds simple enough.
Going on their website, it has a very simple landing page with two redirects to product pages and a form to enter their mailing list. The products pages have nothing of importance except possibly their URL. The URL contains a query to a category, with coats being 1 and accessories being 2. Both pages also have 3 distinct fields for each product: an image, a description, and a price.
For now I will go back to the form, it makes a post request to addemail.php with the entered email. I will add a random email and record the request to see what happens. A post request was made with the entered email in a form data format. It then returned a webpage informing me that the email was successfully added.
Directly accessing addemail.php returns a webpage stating it had an issue inserting into table “email”, that the email is not valid and to contact an administrator of Fisher’s. This gives me a great deal of information. This tells me that they save their emails onto a database within a table marked “email”.
Going back to the coat product page, why dont I try and play around with the URL as it has that interesting category parameter. Just to check whether the product.php script directly takes the query paramter and inserts it into an SQL statement I will try to add ORDER BY 1, followed by ORDER BY 2 to see whether there is any difference. What this is doing is changing the ordering of coats relative to a certain column. A difference there most certainly was. This tells me that the URL itself is susceptible to SQL injection.
Now that we know that we can access the database directly through the URL we can try to create a payload that would join the emails table to display on this products page. It is important to note that there are 3 definitive columns that are returned by this query: image url, description, cost; and most likely in that same column order as when ordering by 3, it returns the products in order of cost - whether ascending or descending. Although, typically, each entry would have an id and we can assume that it is indeed included in the return of the SQL query since we can still order by 4, but ordering by 5 has some unexepected behaviour. One thing to note is that these IDs are never displayed on the page served to the client.
So, in order to add the emails to the page we should add the following to the products page: UNION ALL SELECT null, *, null, null FROM email. This will union the products of category x (1 for me since I used the coats page) which has 4 columns with y (total size of emails in email table) rows of null, [email], null, null. Hit send and voila! We have the email list! There should be 9 emails in the list. Now all we need to do is send it to our client.