Micro CMS v2

Lets turn up the heat,

You will need a few tools on this one, easiest if you are lazy like I am and don’t want to re-invent the wheel.

Tools I played around with at first is you will need to get the database information and to do that, you need data and alot of it…. this is 2020, not 1999 so I don’t need to setup squid or a proxy server to LOG everything I send in and out…. no way… I am running slackware and on a VM because I am streaming this live on twitch.tv. SO what distro people use these days? and I talk shit about? kali linux, I talk shit about it because how easy it is to make available for kids to get a hold of and do stuff with out learning why?  but like all linux distros, you can get the source and compile it.

First tool I started with, is MITMProxy because they say this is a hard tool to use. But I beg to differ, this tool was 10x easier than setting up a squid proxy server and shift through logs and you can inject with out modding the proxy server.   But this is console base, I can sit for days shifting through features as I am loving it.

I moved to Burp Suite because it’s the same damn tool just with more stuff but it’s all GUI base and…. icky java! ewww….  anyways I pick up on software easy super easy especially if it is GUI based, I am a hands on person.  I do the same thing inject and we can also decode / encode and other features and such… only thing I really hate about this software is that this isn’t fully open source software and they charge money and stuff for other useless features well at least for me, I guess if your some kid who got their degreed in cyber security might need it for corporation standards I guess. Pretty much everything you can do in Free version of Burp you can also do in MITMProxy with mods.

SQLMap, now this console tool is fun to play with, it can dump tables, id’s, and the content displayed inside including decoding the basic encryption for password field but it is all just an automation for many different SQL Injection flaws out there.

Back to  this CMS system, it’s a different setup but still same same.

• Flag 1 – We have a login for editing or creating a new page so this CMS security has stepped up a bit.  Ok, lets see if this is as easy as it has been, lets use admin / admin as the user/pass, or root/root all showing unknown user.  I accidently hit ‘ and hit enter when guessing common user and password combos but I got an error with this…

if cur.execute(‘SELECT password FROM admins WHERE username=\’%s\” % request.form[‘username’].replace(‘%’, ‘%%’)) == 0:
File “/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py”, line 255, in execute
self.errorhandler(self, exc, value)
File “/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py”, line 50, in defaulterrorhandler
raise errorvalue
ProgrammingError: (1064, “You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”’ at line 1″)

Now there is something they do use MySQL.. mm and I broke it on accident with ‘
I have been working in SCCM alot for the past few years so knowing sql commands is something,

So, lets create a command because this error tells me that I can execute a sql command.
Username ” ‘ UNION SELECT ‘111’ AS password#
password “111”
and I am in! now click on a new link “private page” that page turns into your first flag.

• Flag 2  Now lets use a tool MITMProxy or Burp, what ever you want to see.
  I started to stream this in the past week, where I played with both and got this flag.What I was doing was seeing if I could intercept the forms and change the response,  I ended up editing a page and letting both Mitmproxy and burp was able to log the request, and resubmit the request turning a Get command to a Post and from there I got the second flag.  This one was to show or demonstrate the interception  with an MITM attack could do some stuff.
• Flag 3  This one, got me a bit as I started to review both MITMProxy and Burp Suite to see what I could find if I could find something.
  the hint I reviewed was “Credentials are secret, flags are secret. Coincidence?”
  So, I digged more and more into the requests back and forth modify both in and out of the requests but only ended up with flag2… including different ways to inject ‘1=1#  so at this point I needed a username and password.  I loaded up SQLMap and let it dump the tables with the rows and I ended up dumping a whole username  and passwords, and I used one of them that got me Flag number 3.