Skip to main content

Easy Web Application Security Machine: CSharp VulnJSON ಠ_ಠ (day 101)

Hi everyone! Welcome back to another vulnhub machine walkthrough. In this post, we will try to solve the the Csharp VulnJSON machine, this particular machine are focus on introducing some key concept of known web application attacks.

We will go through each of the vulnerability and we will see how we can elevate this into a working exploit.

You Complete Me meme

Background:

Setting up this machine is easy, the author provide us with .ova file and all we have to do is just import the file then we good to go.
 

 

Information Gathering:

first, we need to find out what is the machine ip address, to do this I used nmap to do ping sweep on my local network.


from the result above we can see that the target machine is with 192.168.1.7. Now that we have our target IP address, let's proceed with scanning the open port on the machine.


cool! so the machine only open port 80 and this will make it much more simple. If we go to the web server, we are welcomed with two forms: first is used for create a user and the other one is for searching user.


Sensitive Data Exposure:

Okay, before we start fuzzing the form to find any indication of vulnerability, let's try to mapping the web application.



Using dirsearch for the tools to mapping the website and finding hidden directory, we found one which is "/bin/". We can achieved the same result using wfuzz like the below figure.


By going to the "/bin/" folder we found several interesting file that worth to download and look.


It looks like the .dll file is a .net assembly, we can analyze the .dll using monodis(https://www.mono-project.com/docs/tools+libraries/tools/monodis/)

you can use monodis the following way:

~# monodis <.dll file>

the Newtonsoft.Json.dll is the external library there is nothing interesting inside it, you can just proceed to ch2_vulnerable_json_endpoint.dll file

1. the web app use npgsql  which is a .Net framework used to communicate with a database.



2. we got the columns of the table used for creating user.
 

3. we got the the credential of the database(postgresql). But please be aware that the database can only be accessed from localhost.


Union SQL injection:

we start by inserting some random data to create user form.

 
 
I create several of them and input string into the list users form to check if its successfully submitted to db. Looks like it done and we can see the search is not omitting a strict keyword.
 
 
 
Lets try to intercept the List user query first using burp suite and send it to the repeater, so we can edit and send it multiple times.

 
 
 
 
Notice in the figure above our input is send with JSON format, furthermore, I put a single quote after the "aa" string this to test if there is an error that we could trigger to DB and from the result we got what we are looking for. This indicate that "username" section is vulnerable to sql injection.

Let's try to determine how many columns that we can insert in our union sql injection using "order by" command.


 
after a couple of times try to adjust the number, it seems that we can only fit one column into the union, let's try this assumption by inserting union statement.

 
it looks like we are right track, the union statement work and able to show the combine string that we append. Looking back to information that we got from .dll file regarding columns and table, we don't need to query information_schema table.

we know that there are columns: username and password inside the users table so we only need to combile simple select statement along with union and the name of column and table in our payload, like the figure below.


Sweet! we just get the content of the users database and able to retrieve the username and password.

Undeleted Username:

We can create undeleted account in the database by just simply append double quote at the beginning of the name, for example:

 
 
when we try to change the method into delete, the server return success however it does not delete the account. This is due to the double quote of inside the name that messed up the DELETE statement in sql query. 

 
 
 

INSERT SQL injection:

just like the list user form the create user form susceptible with sql injection but unlike the union sql injection that we have conducted earlier, INSERT sql injection is easier. If the application is vulnerable, an attacker can inject arbitrary values in to the database using crafted input, like this:
 
 
 
 
Next, we need to locate where the injected data is reflected back by the application.  The first payload will return database that used, while the second will return the postgres version. We can get the result by submitting empty search to the list user, like below figure.
 
The last two result, show the current database that used now and the version of postgresql. 
 

Leveraging sqlmap to retrieve DB and shell from database:

Lastly, we can use sqlmap to get the same result like the previous union and insert sql injection.

to do this via sqlmap, the least painful way is to saved the http post transaction from burp suite to a file.
 
 
Then passed to the sqlmap, like below figure:
 
 
 
 
Walaaa! we got the same result. To get the interactive shell to the postgresql, all you need to do is just append "--os-shell"
 

 
 
That's all folks, I hope you enjoy this post and see you in the next post of vulnhub.

Comments

Post a Comment

Popular posts from this blog

Having fun analyzing nginx log to find malicious attacker in the net (ง'̀-'́)ง (day 37)

  What makes you sleepless at night? is it because of a ghost or scary stories? is it because you have an important meeting tomorrow? or is it because you have an exam? For me, what keeps me up all night is that I keep thinking about what happens to a website that I just created, is it safe from an attacker (certainly not) or did I missing some security adjustments that lead to vulnerability? well I'm not the best secure programmer in the world, I'm still learning and there is a big possibility that I can make a mistake but for me, a mistake can be a valuable investment to myself or yourself to be better so from this idea, I want to know more about what attackers casually do when attacking a website. Here in this post, I'm going to show you how I analyzed attack to the website that I have permission to design and also some interesting findings that I could get from the analysis Background: All of this analysis comes from the traffic that is targeted to th
Post a Comment
Read More »

Utilize Pwntools for crafting ROP chain :') (day 69)

who doesn't like pwntools? it is a very versatile tool and can be customized according to our need using the python script but did you need to know that pwntools itself can help us to automatically craft a rop chain for us? so in this post, I will show you how to make rop chain less painful and make pwntools do all the heavy lifting. To demonstrate this I will use the binary challenge callme 64 bit from ropemporium link: https://ropemporium.com/challenge/callme.html Crashing the app: Like any other exploitation process, we need to crash the program by generating a long string pattern to determine the offset. based on the information from the above figure we can see that we required to provide 40 bytes of offset Fun stuff: now this where the fun stuff began write the following python script: as in the guideline of the challenged said we need to chain the function call by first to call the callme_one function, callme_two function and then callme_three funct
Post a Comment
Read More »

WriteUp PWN tarzan ROP UNICTF ಠ_ಠ (day 61)

So in this post, I'm going to talk about how to solve the Tarzan pwn challenge from UNICTF 2019. Back in the day when the competition is still going I couldn't finish it and don't have any clue to solve this but this time I was able to finish it :) Also in this post, we will be going to be heavily focused on how to utilize pwntools to construct a ROP chain. If you kinda confused about my explanation in this post you can refer to this following youtube video, link: https://www.youtube.com/watch?v=gWU2yOu0COk I build the python script based on this video Ok, let's get started! In this challenge, you will get two binary first go with tarzan and libc-2.29.so by providing .so file it tell us what version library that the target machine is using this could help us to do ROP chain. first, we run the Tarzan binary to get the basic idea of the program work and as you can see it just show you some text, newline and when you try to input something it doesn't gi
Post a Comment
Read More »