array(1) { [0]=> object(WP_Post)#1881 (24) { ["ID"]=> int(7996) ["post_author"]=> string(1) "8" ["post_date"]=> string(19) "2020-12-22 15:31:18" ["post_date_gmt"]=> string(19) "2020-12-22 15:31:18" ["post_content"]=> string(16525) "

The #6th DOJO CHALLENGE was on finding a valid SQL injection to bypass inputs filter protection that forbids the use of common SQL comments.

WINNERS!

We are glad to announce the #6 DOJO Challenge winners list.

5 FIRST SOLVES (in order)

rekter0
dtql
marcosen
Robin
KerwiXx

5 BEST WRITE-UP REPORT

smidthjohn886
holme
NERVEUX
KerwiXx
dtql


Subscribe to our Twitter or Linkedin feeds to be notified of the upcoming challenges.

Read on to find the best write-up as well as the challenge author's recommendations.

The challenge

You had two input fields you can inject, but can't use any comments to escape the query. Also, your inputs are stored in a separate table from where the displayed output is fetched.

We asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:

  • Ensure no copy-paste would occur.
  • Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.

BEST WRITE-UP REPORT

smidthjohn886's Report was particularly efficient in detailing the exploitation logic, we thus decided to reproduce it in here.
We only publish the best report, however we received an outstanding variety of payload, each one of it's own genius and encodings tricks.
That was much fun to read.
Thank you!

smidthjohn886's Write-Up

Description

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Source Owasp

Exploitation

Problem description

We have some SQL code that is taking user inputs. Theses inputs are not properly escaped. Indeed, the characters "'" is not escaped, which enable an attacker to break the SQL Code.
Usually, an attacker use multiple statements or comments to easily customize the query without worrying about the application too much. But here some characters generally used in this purpose are blacklisted like /* -- ; #

Step by step solution

The challenge is to extract the admin password from the database. One solution would be to use a Union Select query. This query will query the users database (known from previous challenges) and extract the password. A code similar code would do it:

 Select password from users Where username='admin'

But here, our code is inserted into two statements. The "Insert" statement need a result with two columns and the "Select" statement needs only one column. Yes, we have spotted the major difficulty of this challenge.
The question is, how to inject a Union Select that could returned one column in one case and two in the other case from the same source code?
There is no easy answer (at least that i know).

Then by analysing the code, we can see that we have two inputs. Moreover, they are used in a different order...
By playing a little with these inputs, we can get an interesing result. Some text could be interpreted as a string in one statement and as SQL in the other statement... Great, we are close to a solution!

Then we need to be able to generate a valid SQL query. We need to customize it a little to get a working SQL query.
We have 3 requirements:

  • do not break sql syntax :)
  • Insert statement should have two columns
  • do not modify too much the last statement, but we want to test that we can execute SQL in it

Tricks:

  • In order to concat injected string, we can use "||".
  • We will also use the function char() to test that we can properly execute SQL.

Here is a valid syntax example:

Now, we can customize the request with a Union Select request:

Tricks:

  • user the SQL operator IN to finish the request with '); properly
  • to avoid restriction from this operator add a 1=1 Or condition

Then remember the initial goal of the challenge: extract admin password. The request need some tunning:


Tricks:

  • If you try to do a username='admin', it will break the Insert statement. It is better to avoid '. We can generate the admin string by concatenating char(xx)

Final payload:

$name=','||'') Union Select password From users Where username=char(97)||char(100)||char(109)||char(105)||char(110) or username In( ''||'
$val=||'

PoC

payload:

$name=','||'') Union Select password From users Where username=char(97)||char(100)||char(109)||char(105)||char(110) or username In( ''||'
$val=||'

-------------- END OF smidthjohn886 REPORT ------------------

BitK's Editor note

BitK

BitK is the Technical Ambassador at Yes We Hack. He also created the DOJO and this challenge.

For this challenge we received a lot of different payloads, here is two other solutions that use function call to get around the lack of comment. These are unintended solution, +1 for the imagination.

KerwiXx:


$name=',') UNION SELECT COALESCE((SELECT password FROM users),'
$val='

Nerveux:


$name=',') UNION select trim((SELECT password from users),'
$val='


Read More on YesWeHack DOJO

Introducing the YesWeHack DOJO

The DOJO is three things in one: a learning tool, training platform and a playground.


" ["post_title"]=> string(26) "DOJO CHALLENGE #6 Winners!" ["post_excerpt"]=> string(140) "The #6th DOJO CHALLENGE was on finding a valid SQL injection to bypass inputs filter protection that forbids the use of common SQL comments." ["post_status"]=> string(7) "publish" ["comment_status"]=> string(6) "closed" ["ping_status"]=> string(6) "closed" ["post_password"]=> string(0) "" ["post_name"]=> string(24) "dojo-challenge-6-winners" ["to_ping"]=> string(0) "" ["pinged"]=> string(0) "" ["post_modified"]=> string(19) "2020-12-22 16:10:14" ["post_modified_gmt"]=> string(19) "2020-12-22 16:10:14" ["post_content_filtered"]=> string(0) "" ["post_parent"]=> int(0) ["guid"]=> string(33) "https://blog.yeswehack.com/?p=7996" ["menu_order"]=> int(0) ["post_type"]=> string(4) "post" ["post_mime_type"]=> string(0) "" ["comment_count"]=> string(1) "0" ["filter"]=> string(3) "raw" } }