In this challenge, we need to recover the key from the website of DONGPO-SA Capital. This website in running on Windows with Apache, PHP and MySQL.
This website is actually full of sql injections in the various parameters.
For example:
http://114.201.226.217:5454/board/delete.html?mode=form&delete_uno=[sqli here]
We first tried to exploit this and managed to dump all the databases on the server. But the key wasn’t there.
[*] board
[*] information_schema
[*] mysql
[*] phpmyadmin
DATABASE management system users:
[*] 'board' @ 'localhost'
[*] 'phpmyadmin' @ 'localhost'
[*] 'root' @ 'localhost'
DATABASE management system users password hashes:
[*] board : *4A7A3755AA518CFB9E2480F77AEF9D1D6EE15857
[*] phpmyadmin : *3C281371A5A96ACC8FE7177B7C269CC7C9C9C816
[*] root : *3C281371A5A96ACC8FE7177B7C269CC7C9C9C816
+------------+
| board |
+------------+
| board_free |
+------------+
+------------------------------+
| board_free |
+---------------+--------------+
| COLUMN | TYPE |
+---------------+--------------+
| client_ip | VARCHAR(20) |
| content | text |
| email | VARCHAR(50) |
| gno | INT(10) |
| hit | INT(5) |
| homepage | VARCHAR(50) |
| html_tag | INT(5) |
| name | VARCHAR(20) |
| passwd | VARCHAR(255) |
| register_date | INT(10) |
| reply_depth | VARCHAR(255) |
| subject | VARCHAR(60) |
| uno | INT(10) |
+---------------+--------------+
We then tried to peruse the disk content using the FILE privilege of the user. We downloaded all the relevant files of the challenge but the source code didn’t show any vulnerability that would allow us to inject PHP.
We tried to upload some PHP shell using the sql injection but we couldn’t find a writable directory that would be in the DocumentRoot and writable by the MySQL process.
Finally, we noticed that one of the form was using the fckeditor 2.6.6 and that the PHP upload connectors was enabled.
Using the sql injection file read, we dumped the fckeditor config and found the following relevant part:
$Config['UserFilesPath'] = '..\\..\\..\\..\\..\\userfiles\' ;
$Config['ConfigAllowedTypes'] = array('File', 'Image', 'Flash', 'Media') ;
$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi'
, 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
$Config['DeniedExtensions']['File'] = array() ;
$Config['FileTypesPath']['File'] = $Config['UserFilesPath'] . 'file/' ;
$Config['FileTypesAbsolutePath']['File']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'file/' ;
$Config['QuickUploadPath']['File'] = $Config['UserFilesPath'] ;
$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
$Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
$Config['DeniedExtensions']['Image'] = array() ;
$Config['FileTypesPath']['Image'] = $Config['UserFilesPath'] . 'image/' ;
$Config['FileTypesAbsolutePath']['Image']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'image/' ;
$Config['QuickUploadPath']['Image'] = $Config['UserFilesPath'] ;
$Config['QuickUploadAbsolutePath']['Image']= $Config['UserFilesAbsolutePath'] ;
$Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
$Config['DeniedExtensions']['Flash'] = array() ;
$Config['FileTypesPath']['Flash'] = $Config['UserFilesPath'] . 'flash/' ;
$Config['FileTypesAbsolutePath']['Flash']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'flash/' ;
$Config['QuickUploadPath']['Flash'] = $Config['UserFilesPath'] ;
$Config['QuickUploadAbsolutePath']['Flash']= $Config['UserFilesAbsolutePath'] ;
$Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
$Config['DeniedExtensions']['Media'] = array() ;
$Config['FileTypesPath']['Media'] = $Config['UserFilesPath'] . 'media/' ;
$Config['FileTypesAbsolutePath']['Media']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'media/' ;
$Config['QuickUploadPath']['Media'] = $Config['UserFilesPath'] ;
$Config['QuickUploadAbsolutePath']['Media']= $Config['UserFilesAbsolutePath'] ;
Conveniently the fckeditor test file were still there: http://114.201.226.217:5454/board/fckeditor/editor/filemanager/connectors/test.html
We played with it but, because of the whitelist in the config file, we couldn’t upload php or html files except into a special category named “Invalid type (for testing)”
This was strange because this category wasn’t in the fckeditor config file.
Then it occured to me that if we were able to list the folders and files in this category using the fckeditor test uploader, it means the file were still uploaded somewhere. But where?
Still using the sql injection, we downloaded the fckeditor source code for the connectors and noticed a vulnerability has been introducted:
{</code>
global $Config ;
// Get the resource type directory.
//$sResourceTypePath = GetResourceTypeDirectory( $resourceType, $sCommand ) ;
//SendError( 1,$resourceType ) ;
$sResourceTypePath = $Config['UserFilesPath'].$resourceType.$folderPath;
// Ensure that the directory exists.
$sErrorMsg = CreateServerFolder( $sResourceTypePath ) ;
if ( $sErrorMsg != '' )
SendError( 1, "Error creating folder "{$sResourceTypePath}" ({$sErrorMsg})" ) ;
// Return the resource type directory combined with the required path.
return CombinePaths( $sResourceTypePath , $folderPath ) ;
}
Notice how $sResourceTypePath is now not checked anymore against the config file. So the “Invalid category” files will be located in “..\\..\\..\\..\\..\\userfiles\\” relative to the connector + “Invalid”
We uploaded a C99 shell to the invalid folder and used it to find the key file located in the htdocs folder:
key is : webvuln3r4bility