Sans Hack Challenge 2016 – the 7th audio

Right, so let’s continue last post and look at getting the final audio file.

Running nmap -sC gets me something very interesting, namely a .git directory, that’s accessible over http:

443/tcp open https
| http-git:
| Git repository found!

I can get its contents like this:
wget --no-check-certificate --mirror -I .git
At this point I only have the git history, but no files. No problem, I can get the files as follows:
git checkout -- . restores all files from git history

Looking through the source I find that the login cookie contains the username (encrypted), and that the encryption key is part of the source code. That means I can craft a valid cookie as user ‘administrator’. The following code accomplishes this:

$auth = encrypt(json_encode([
‘username’ => ‘administrator’,
‘date’ => date(DateTime::ISO8601),
echo bin2hex($auth);

The actual security issue here (besides the source code being publicly available) is that the encryption key for the session cookie is stored with the source code. That’s never a good idea, keys and passwords are part of the runtime configuration of the production system and must not be stored with the code itself.

I intercepted the HTTP response of the login request in OWASP ZAP and replaced the AUTH cookie with the generated value. I am now in as administrator!

That means I have access to the edit.php page becomes available, which allows updating a saved query. Using the HTML form only name and description can be updated, however the request handler code is generic enough that will update any column if the correct GET parameter is set

By adding the query parameter to the http request, this I can run any query on the database. That’s a very nice SQL injection vulnerability!

I used the following steps to extract the mp3:
– execute any query (i.e. usage), save query -> remember ID
– go to edit.php page, set name, description, intercept with OWASP ZAP and add query=select * from audio (urlencoded)
-> I now have the id / primary key of the 7th audio (3746d987-b8b1-11e6-89e1-42010af00008)

Unforunately I cannot download it directly, as the download script checks that the audio belongs to the logged in user, and that the logged in user is ‘guest’. So I can’t get it as administrator, but I can’t get it as ‘guest’ either, as the file belongs to the administrator user.
The solution to that is to dump the content of the mp3 as part of the query, over which I have control by using the edit.php page. One slight problem is that the mp3 is binary, so it won’t play very nice with being rendered into a HTML page. There’s a simple solution to that as well, dump the mp3 as Base64 encoded data!
– edit query again, set query=select to_base64(mp3) from audio where id='3746d987-b8b1-11e6-89e1-42010af00008' (urlencoded again)
– the view.php page will now contain the base64 encoded content of the 7th audio.

– then extract it from the page and convert it to an mp3 file with a small python script:

fh = open("discombobulatedaudio7.mp3", "wb")

Leave a Reply

Your email address will not be published. Required fields are marked *