This was a pretty fun little exercise. It really got me thinking about where my skill set is these days. It is one thing to know that SQL Injection exists, and another to be really good at crafting queries to use it to your advantage. Here are the steps to follow to solve this one.
1) Recon
In the recon phase, you must do the basic things. Take a look at the source. Click around on the links and see where this takes you. In real life you would spider, but for this you will have to just see what you can see. What you will notice is that there are two "input points". The first is a small form asking for you to enter your email. The second is the link to the products pages. If you notice you have a products.php?category=1. As you know, any input can be fuzzed.
2) Discovery
In this phase, we start trying to play around to see what we can see. The first step is to work at the email form. There are many places this email could be being stored. Most commonly, however, it is stored into a sql database. A quick sql injection attempt here will yield some interesting results. The developers of the site have not bothered to mask their error messages (quite common in real life) and you get that the name of the email table is email. Clearly the sql injection attempt is being blocked. There is no way to do blind sql injection at this point since we don't have a way to view the information. (Yes you could try pinging and stuff, but this is just a test).
The next step is to see if the other inputs on the page have any problems. A quick sql injection attack via firebug yields that there is no sql protection on link to the product pages.
products.php?category=1 or 1=1
Produces a page with all products on it. Further more, if you put in a sql statement that generates an error, you get a nice little blank page.
3) Exploitation
Now that we know the basics of what we can do, it is time to exploit it. Sql has a command that is called Union All. Basically, this command allows you to combine the results from two select statements. The key is that the column numbers have to match. By looking at the product page, you can try and guess how many columns are being returned in the original query. There seems to be a link to an image, a description, and a price. There is probably also an id of some kind. That makes 4.
Since description is the field that seems to print out a string, we will use it for our query.
products.php?category=1 UNION ALL SELECT null, *, null, null FROM email;
The only reason why this works is because * means everything, and email probably only has 1 column. At least that is my understanding of the above sql query.
Running that produces a list of all the email addresses currently in the system. To finish off the challenge, use the HTS Message Center to send the list to SaveTheWhales.
Enjoy.
This comment has been removed by a blog administrator.
ReplyDelete