As you would have noticed from the noise on twitter and other channels, the 2nd public CTF was a major success. Over 3000 registrations, ~7K unique IPs, 7 GB of log (in 3 days) and heaps of fun. As with anything, we had some un-wanted visitors, who tried to take the CTF down with a DNS amplification DDoS attack. The Site's performance was affected but nevertheless the CTF was active and we provided some extra time to make up for the down-time.
So, just to wrap-up. The CTF had 2 objectives. Those who obtained both the flags ended up on the leader-board. We will wait for the winners to publish their individual write-ups. In the mean-time, here is sneak up into the code/vulnerabilities.
Both the Flags were based on existing challenges in our SQli Lab. SQLi lab is an awesome place to learn and master SQL Injection. 4 databases, 27 challenges, 90 objectives and heaps of fun!
Okay, with marketing done, lets dive into the CTF. The 2 vulnerabilities on which CTF was based were:
1. Column Truncation
2. Double decode SQL Injection
The 2nd flag was particularly tricky to get and most people had difficulty getting it.
Here is some code from the application:
$comments=mysql_real_escape_string($_POST['message']);
$url=mysql_real_escape_string($_SERVER['HTTP_REFERER']);
$query = "Insert into temp values('".$comments."','".urldecode($url)."')";The trick here is to identify the following:
1. The attack surface is not just the HTTP parameters but other headers (e.g.Referer).
2. Application is doing a urldecode on the header value after validation.
Thus, %27 (') gets escaped by mysql_real_escape_string() whereas %2527 doesn't get escaped and urldecode converts it to %27 which triggers the vulnerability. Its actually common for apps to perform URLdecode on data coming from fields such as Referer. Both the vulnerabilities have affected popular applications like wordpress and we have these vulnerabilities in custom applications during our pentest.
We didn't want people to run benchmark() and sleep() against the database, so we decided to blacklist it:
$patterns = array('sleep','benchmark');
$patterns_flattened = implode('|', $patterns);
if (preg_match('/'.$patterns_flattened .'/i',urldecode($url)))
{echo 'Attack detected';
die;
}This made identifying the vulnerability a bit difficult. But the fact that you could see blacklisted functions gave participants a clue that this header could potentially be vulnerable. Further, you can get a feedback from the application depending on whether the SQL returned error or not.
$result = mysqli_query($dbConnection, $query);
if ($result) {
echo "Thanks!, we will be in touch...";
}
else
{
echo "Error Occured :(";
}We will leave the CTF link live for another few days for people to have a go at it. We are not accepting any submissions now. Thanks all for playing!
Finally, if you are interested in the topic of Injection Flaws, you can register for our class at Black Hat Las Vegas 2014.
A full write-up on CTF can be found here