Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gmocanu/session 04 task #73

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions sql-injection/activities/blacklist/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
public/
36 changes: 36 additions & 0 deletions sql-injection/activities/blacklist/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Name: Blacklist

## Description

You're a big boy now, you need to find the way without the quotes from philosophy.

Try this one http://141.85.224.118:13000/.

Score: 150

## Vulnerability

SQL Injection - The server does not escape characters before querying the database.
The server filter single quotation marks and double quotation marks.

## Exploit

We can use a payload like this: `and 0 union select 1,username,password from users #\` and the query will be:

```
select * from search_engine where title like 'and 0 union select 1, username,password from users #\' or description like 'and 0 union select 1, username,password from users #\' or link like 'and 0 union select 1,username,password from users #\';
```

Due to the fact that some `'` will be escaped because of `\` the query will be different.

## Environment

Web server with PHP and MYSQL support (deployable as a Docker container using files in `deploy/` folder)

## Deploy

Copy `deploy/` folder and run `make run`.

If you need to update the image and container, remove the old container with `make clean` and update the image (and container) using `make`.

It is not possible to update the container without updating the image first.
1 change: 1 addition & 0 deletions sql-injection/activities/blacklist/deploy/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
public/
3 changes: 3 additions & 0 deletions sql-injection/activities/blacklist/deploy/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
FROM php:7.0-apache

RUN docker-php-ext-install mysqli
13 changes: 13 additions & 0 deletions sql-injection/activities/blacklist/deploy/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
build:
docker-compose build

run: build
docker-compose up -d

stop:
docker-compose stop

clean: stop
docker-compose down

.PHONY: build run stop clean
24 changes: 24 additions & 0 deletions sql-injection/activities/blacklist/deploy/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
version: "3.3"

services:
database:
image: mysql:5.7
container_name: blacklist_mysql
environment:
MYSQL_DATABASE: "blacklist"
MYSQL_USER: "sss"
MYSQL_PASSWORD: "sss"
MYSQL_ROOT_PASSWORD: "root"
volumes:
- "../public/mysql/init-db.sql:/docker-entrypoint-initdb.d/init-db.sql"

web:
build: .
image: sss-web-sql-injection_blacklist_mysql
container_name: sss-web-sql-injection_blacklist_mysql
ports:
- "13000:80"
volumes:
- "../public:/var/www/html"
links:
- database
1 change: 1 addition & 0 deletions sql-injection/activities/blacklist/flag
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
SSS{draco_dormiens_nunquam_titillandus}
13 changes: 13 additions & 0 deletions sql-injection/activities/blacklist/src/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
FILE :=../flag
FLAG :=$(shell cat $(FILE))

generate:
rm -rf ../public
mkdir -p ../public/
cp -r conf ../public/
cp -r mysql ../public/
cp index.php ../public/index.php
sed 's/__TEMPLATE__/$(FLAG)/g' ./mysql/init-db.template.sql > ../public/mysql/init-db.sql
rm ../public/mysql/init-db.template.sql

.PHONY: generate
14 changes: 14 additions & 0 deletions sql-injection/activities/blacklist/src/conf/conf.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<?php
$servername = 'database';
$username = 'root';
$password = 'root';
$database = 'blacklist';

// Create connection
$conn = new mysqli($servername, $username, $password, $database);

// Check connection
if ($conn->connect_error) {
die("Unable to connect to MYSQL server");
}
?>
74 changes: 74 additions & 0 deletions sql-injection/activities/blacklist/src/index.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
<?php

Check failure on line 1 in sql-injection/activities/blacklist/src/index.php

View workflow job for this annotation

GitHub Actions / Checkpatch

ERROR:TRAILING_WHITESPACE: trailing whitespace
if (isset($_GET['source'])) {
die(highlight_file(__FILE__));
}

require("conf/conf.php");

Check failure on line 6 in sql-injection/activities/blacklist/src/index.php

View workflow job for this annotation

GitHub Actions / Checkpatch

ERROR:TRAILING_WHITESPACE: trailing whitespace
error_reporting(0);


if (isset($_GET['q'])) {
// Ban space character
if (strpos($_GET['q'], "'") !== false) die("Hacker detected");

Check failure on line 12 in sql-injection/activities/blacklist/src/index.php

View workflow job for this annotation

GitHub Actions / Checkpatch

ERROR:TRAILING_WHITESPACE: trailing whitespace
if (strpos($_GET['q'], '"') !== false) die("Hacker detected");

Check failure on line 13 in sql-injection/activities/blacklist/src/index.php

View workflow job for this annotation

GitHub Actions / Checkpatch

ERROR:TRAILING_WHITESPACE: trailing whitespace
}


?>
<!DOCTYPE html>
<html>
<head>
<title>Gogol Search</title>
<link rel="stylesheet" href="http://www.goglogo.com/include/goglogo.css" type="text/css" />
</head>

<body style="margin:0;padding:0;">
<div id="overlay_bg" style="display:none; background-color:#000000; position:fixed; z-index:1001"></div>
<br/><br/><br/><br/>
<div class="content-area">
<div class="logo">
<img src="https://imgs.xkcd.com/comics/goto.png">
</div>
<div class="searchBox">
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
<form name="frm" id="frm" method="GET">
<input type="text" name="q" size="40" value=""/>
<input type="submit"/>
<br /><br />
</form>
</td>
</tr>
</table>
<br/>
</div>

<?php
if (isset($_GET['q'])) {

Check failure on line 49 in sql-injection/activities/blacklist/src/index.php

View workflow job for this annotation

GitHub Actions / Checkpatch

ERROR:TRAILING_WHITESPACE: trailing whitespace
$query = "SELECT * FROM search_engine WHERE title LIKE '" . $_GET['q']. "' OR description LIKE '" . $_GET['q'] . "' OR link LIKE '" . $_GET['q'] . "';";
$result = $conn->query($query);

Check failure on line 51 in sql-injection/activities/blacklist/src/index.php

View workflow job for this annotation

GitHub Actions / Super Linter

Variable $conn might not be defined.

echo "<h2>Number of results for '". htmlspecialchars($_GET['q']) . "' : " . $result->num_rows . "</h2>";
?>
<?php
if (isset($result) && $result->num_rows > 0) {
echo "<hr/>";
echo "<br/>";

// output data of each row
while($row = $result->fetch_assoc()) {
echo "<div>";
echo "<a href='" . $row['link'] . "'><h2>" . htmlspecialchars($row['title']) . "</h2></a>";
echo "<h3>" . htmlspecialchars($row['link']) . "</h3>";
echo "<p>" . htmlspecialchars($row['description']) . "</p>";
}
}
?>

</div>
</div>
</body>
</html>
<?php } ?>
19 changes: 19 additions & 0 deletions sql-injection/activities/blacklist/src/mysql/init-db.template.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
CREATE DATABASE IF NOT EXISTS `blacklist`;
USE `blacklist`;

DROP TABLE IF EXISTS `search_engine`;
CREATE TABLE `search_engine` (
`title` varchar(50) DEFAULT NULL,
`description` varchar(70) DEFAULT NULL,
`link` varchar(70) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
`username` varchar(50) DEFAULT NULL,
`password` varchar(50) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

LOCK TABLES `users` WRITE;
INSERT INTO `users` VALUES ('Administrator','__TEMPLATE__');
UNLOCK TABLES;
1 change: 1 addition & 0 deletions sql-injection/activities/demo-sql-injection/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
public/
28 changes: 28 additions & 0 deletions sql-injection/activities/demo-sql-injection/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Name: Demo

## Description

This is a simple demo that will be used as an example in the session.

Similar, but not the same. Can you find the name of the bastard?
Check this out: http://ctf-18.security.cs.pub.ro:8083/

Score: 25

## Vulnerability

SQL injection vulnerability.

## Exploit

Search in the `flags` table for the flag.

## Environment

Web server with PHP and MYSQL support. (deployable as a Docker container using files in `deploy/` folder)

## Deploy

Copy `deploy/` folder and run `make run`.
If you need to update the image and container, remove the old container with `make clean` and update the image (and container) using `make`.
It is not possible to update the container without updating the image first.
3 changes: 3 additions & 0 deletions sql-injection/activities/demo-sql-injection/deploy/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
FROM php:7.0-apache

RUN docker-php-ext-install mysqli
13 changes: 13 additions & 0 deletions sql-injection/activities/demo-sql-injection/deploy/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
build:
docker-compose build

run: build
docker-compose up -d

stop:
docker-compose stop

clean: stop
docker-compose down

.PHONY: build run stop clean
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: "3.3"

services:
database:
image: mysql:5.7
environment:
MYSQL_DATABASE: "demo"
MYSQL_USER: "sss"
MYSQL_PASSWORD: "sss"
MYSQL_ROOT_PASSWORD: "root"

volumes:
- "../public/mysql/init-db.sql:/docker-entrypoint-initdb.d/init-db.sql"

web:
build: .
ports:
- "8083:80"
volumes:
- ../public:/var/www/html
links:
- database
1 change: 1 addition & 0 deletions sql-injection/activities/demo-sql-injection/flag
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
SSS{mAsTeR_oF_sQlI}
12 changes: 12 additions & 0 deletions sql-injection/activities/demo-sql-injection/src/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
FILE :=../flag
FLAG :=$(shell cat $(FILE))

generate:
rm -rf ../public
mkdir -p ../public/
cp -r mysql ../public/
cp *.php ../public/
sed 's/__TEMPLATE__/$(FLAG)/g' ./mysql/init-db.template.sql > ../public/mysql/init-db.sql
rm ../public/mysql/init-db.template.sql

.PHONY: generate
64 changes: 64 additions & 0 deletions sql-injection/activities/demo-sql-injection/src/index.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

if (isset($_GET['source'])) {
die(highlight_file(__FILE__));
}

require("login.php");
error_reporting(0);

session_start();

if (isset($_POST['surname'])) {
$query = "SELECT * FROM users WHERE name = '" . $_POST['surname'] . "'";
$result = $conn->query($query);

Check failure on line 17 in sql-injection/activities/demo-sql-injection/src/index.php

View workflow job for this annotation

GitHub Actions / Super Linter

Variable $conn might not be defined.
}
?>

<!doctype html>
<html lang="en" style="height: 100%;">
<script src="http://code.jquery.com/jquery-1.11.0.min.js"></script>

<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">

<!-- Bootstrap CSS -->
<link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC" crossorigin="anonymous">

<title>Demo SQL injection</title>
</head>

<body style="height: 100%;">
<div class="border d-flex align-items-center justify-content-center h-50">
<form method="POST" action="/index.php">
<div class="form-group">
<label for="searchSurname">Search user by surname</label>
<input name="surname" type="text" class="form-control" aria-describedby="surnameHelp" placeholder="Surname">
<small id="emailHelp" class="form-text text-muted">Funny, do you think you can find me?</small>
</div>

<button type="submit" class="btn btn-primary">Find if you can</button>
</form>

</div>
<div class="border d-flex align-items-center justify-content-center h-50">
<?php
if (isset($result) && $result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
echo "<small id=\"emailHelp\" class=\"form-text text-muted\">" . htmlspecialchars($row['name']) . "</small>";
}
} else {
echo "<small id=\"emailHelp\" class=\"form-text text-muted\">". "Not that simple bro" . "</small>";
}
?>
</div>

</body>

</html>

14 changes: 14 additions & 0 deletions sql-injection/activities/demo-sql-injection/src/login.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<?php

$servername = 'database';
$username = 'root';
$password = 'root';
$database = 'demo';

$conn = new mysqli($servername, $username, $password, $database);

if ($conn->connect_error) {
die("Unable to connect to MYSQL server");
}

?>
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
CREATE DATABASE IF NOT EXISTS demo;
USE demo;

CREATE TABLE IF NOT EXISTS users (name VARCHAR(20), password VARCHAR(32), descr VARCHAR(100));
INSERT INTO users VALUES ("admin", "admin", "admin");
INSERT INTO users VALUES ("ctf", "ctf", "ctf");


CREATE TABLE flags (k VARCHAR(100), v VARCHAR(100));
INSERT INTO flags VALUES ("1", "not_so_ez");
INSERT INTO flags VALUES ("2", "not_so_ez");
INSERT INTO flags VALUES ("3", "not_so_ez");
INSERT INTO flags VALUES ("4", "not_so_ez");
INSERT INTO flags VALUES ("5", "not_so_ez");
INSERT INTO flags VALUES ("6", "not_so_ez");
INSERT INTO flags VALUES ("7", "__TEMPLATE__");
1 change: 1 addition & 0 deletions sql-injection/activities/nightmare-store/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
public/
Loading
Loading