The story begins with an error message that inspires me to do some hacking (SQL-I, RCE, Source Code Exposed, Privilege escalation).
The title of my article above was inspired by this writeup From wedding to Hacking. I just take the certification exam ********** and until the moment I press the “End Exam” button it will reset my account login session, then somehow when I reload the browser it brings up the error message “You have an error in your SQL syntax;” and brings up the “Please login again” alert.
From previously never thinking about looking for bugs there, getting an error message actually woke me up to look for more bugs, the reason is because there is my data so I hope I am using a secure cbt system with CIA (Confidentiality, Integrity, Availability) aspects.
Why does the error appear?
With the above conditions, of course I immediately opened burpsuite. After I tried to capture the request on the endpoint, it turned out that there was post data whose value was empty.
I had tried manual sqli by doing order by, union select and so on but the query that I injected has not produced results, only until determining the last number order by. So I use sqlmap with the basic command as below:
python sqlmap.py -r ../cbt --dbs --tamper=between --random-agent --batch -p exam_group
Source Code Exposed
Not only SQL-i, my browser extension (DoTGit) showed that the cbt contained a .git folder, which made me analyze more deeply.
Prepare your tools, I use the git-dumper package to fetch and extract the .git folder.
I wait for it to finish and run the git checkout command. it will bring up the folder structure of the project but of course for sensitive files in .gitignore I will not be able to get here.
Time to Privilege Escalation
Before I read the code further, from running the git checkout command above I found a .sql file in the public directory redacted.com/idk.sql. I can see the database structure, this is where the initial idea of doing privilige escalation because the user & password are not encrypted, I can log in but it looks like the dumy user and the user with the highest access rights I can’t enter it.
This is a snippet of the sql query from the user table, there are various roles, and I can only log in as all roles except Administrator, maybe the account with the Administrator role no longer exists, I thought.
I logged in with the PIC role, there were only menus: Exam, Student, User etc. Strange! The menus such as dumy accounts have no data in the tables, and only the User menu displays a table list of users with the above roles. as a PIC, you can add users but are limited to 3 roles.
Just add the user normally, the role I choose is Proctor, with burpsuite I intercept the request on Add User and change the role to Administrator, see what happens, it brings up a successful added alert.
After that, I successfully logged in and got full access.
Lastly, time to RCE?
It didn’t take much time to understand the code, all I did was focus on the file upload. I found various functions and conditions, such as the function only allows xls, pdf etc. until I found a function that allows all extensions.
As you can see in the image below, the left is for safe functions and the right is prone to unrestricted file uploads, I can upload dangerous files easily without rejection.
cat etc/password and boom!
Learning from this, as a developer, you should make a program that is safe inside and out, what does that mean? outside (features without auth) inside (authenticated features). Also as a bug hunter keep digging to get maximum severity.
Thank you, see you in the next story.