HTS.org R4 challenge

Preface

I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!

note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things :slight_smile: .

Author Assigned Level: Wannabe

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters

Required Skills

Since we’re starting at the beginning not much knowledge is required at the moment.

  • basic HTML
  • SQL

Disclaimer

These write ups are only my 2 cents on the challenges. So don’t take them too seriously. :wink:


HTS.org realistic challenges

Realistic challenge 4

Message:

Message: Hello, I was referred to you by a friend who says you know how to hack into computers and web sites - well I was wondering if you could help me out here. There’s this local store who is killing hundreds of animals a day exclusively for the purpose of selling jackets and purses etc out of their skin! I have been to their website and they have an email list for their customers. I was wondering if you could somehow hack in and send me every email address on that list? I want to send them a message letting them know of the murder they are wearing. Just reply to this message with a list of the email addresses. Please? Their website is here. Thanks so much!!

What can we extract from the message?

  • There’s some kind of email list
  • We shall retrieve all emails registered on that list

The site:

The main page doesn’t reveal much. Just two sub sites where you can browser their catalogue and the possibility to add yourself to the email list.

The source

Once again we have a “one liner” when it comes to the html code. But here we can see 3 different .php scripts working on this site.

....
<a href="products.php?category=1">Fur Coats!</a>
....
<a href="products.php?category=2">Alligator Accessories!</a>
....
<font face="verdana" size=2>Join our mailing list to receive updates!<br /><form action="addemail.php" method="post"><input type="text" name="email" value="[email protected]"><Br><input type="submit" value="add to list"></form></font></center>

The ‘hack’

So let’s think about this some more. We have an email list of potential customers.
We have a catalogue like shop which displays the article, a description and a price.
It’s unlikely that this text is hardcoded somewhere.
It’s more likely that these catalogue entries represent a single line from a database.
It just makes it more convenient.
So let’s try a little more XSS with some SQL injection.

So we have this URL:

 .../products.php?category=1

Let’s change it to

.../products.php?category=1 and 1=1

This statement is still TRUE and if the site is vulnerable to SQL injection it should display still the same results.
And yes this works!

So what could we try next to see if there’s really a database behind all of this?
How about ‘order by’ a specific column ;)?
Let’s try ordering it by column 2

As you can easily see the catalogue changed.
This method works!
We can try ordering by different columns now until we reach a point where we get a bad return.
Then we definitely know how many columns are involved in this database!

So ordering by 5 won’t work and returns a blank page.
Now we know that the database has 4 columns!

Whats next?

Did you already forget our initial goal?
No? Good!
Let’s try to find some emails!
So first things first.
Let’s try to select all results from the database with UNION ALL SELECT 1,2,3,4
Why UNION ALL?
Because just UNION would remove duplicates.
Since we are searching for all entries no matter the article in the catalogue we want to display all entries.
So here is our new URL:

.../products.php?category=-1 union all select 1,2,3,4

The numbers we inserted in the URL will get displayed on the page as one can see below:

We want to switch out the numbers for real values now, so we have to find the corresponding identifiers!
But first things first. Why is there just one result displayed?
We need to specify or more find out from which SQL table we want to UNION ALL SELECT these values.
Since we want to find emails we could try FROM email.

Ah a lucky guess! We were correct with that assumption, that there exist a SQL table ‘email’.
So now we want to switch out the numerical values for the correct values.
So what are we interested in?
Emails of course! So let’s try this!
Numbers 2 and 3 are currently displayed so let’s switch one of those numbers from the URL to ‘email’

There we go. Now we just need to extract all those emails and send them to the person from our message above!

Conclusions

This time we had a little more in depth SQL tutorial on how to test for SQL injection and what you can try to do to find some values you want to extract from the webpage

The next article of the series can be found here once it’s up!!

Stay tuned :wink:

3 Likes

You don’t even have to guess that the table is ‘email’, just put a invalid email in the submit form and it says:
Error inserting into table “email”! Email not valid! Please contact an administrator of Fischer’s
:slight_smile:

2 Likes

Oh good catch :smile: . I missed that one!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.