はまやんはまやんはまやん

hamayanhamayan's blog

Apache Log [DarkCTF]

Apache Log
scyb3rz0n3
Our servers were compromised!! Can you figure out which technique they used by looking at Apache access logs. flag format: DarkCTF{}

Apache Logsが与えられる

これはいらんやろというのを丁寧に削っていく

192.168.32.1 - - [29/Sep/2015:03:29:07 -0400] "GET /thisisnotflag HTTP/1.1" 404 504 "-" 

🤣

::1 - - [29/Sep/2015:03:29:22 -0400] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Debian) (internal dummy connection)"

なんだこれ?

192.168.32.1 - - [29/Sep/2015:03:30:56 -0400] "GET /?id=1%27%20or%20flag=flag HTTP/1.1" 200 484 "-" 

SQLインジェクションしてる

192.168.32.1 - - [29/Sep/2015:03:35:39 -0400] "GET /fdsfdsa HTTP/1.1" 404 501 "-" 

ん?

192.168.32.1 - - [29/Sep/2015:03:37:34 -0400] "GET /mutillidae/index.php?page=user-info.php&username=%27+union+all+select+1%2CString.fromCharCode%28102%2C+108%2C+97%2C+103%2C+32%2C+105%2C+115%2C+32%2C+83%2C+81%2C+76%2C+95%2C+73%2C+110%2C+106%2C+101%2C+99%2C+116%2C+105%2C+111%2C+110%29%2C3+--%2B&password=&user-info-php-submit-button=View+Account+Details HTTP/1.1" 200 9582 "http://192.168.32.134/mutillidae/index.php?page=user-info.php&username=something&password=&user-info-php-submit-button=View+Account+Details" 0.2454.101 Safari/537.36"

すごく怪しい👀
CyberChefに噛ませるとString.fromCharCode(102, 108, 97, 103, 32, 105, 115, 32, 83, 81, 76, 95, 73, 110, 106, 101, 99, 116, 105, 111, 110)が出てくる。
さらにCyberChefに噛ませるとflag is SQL_Injection

192.168.32.1 - - [29/Sep/2015:03:38:46 -0400] "GET /mutillidae/index.php?csrf-token=&username=CHAR%28121%2C+111%2C+117%2C+32%2C+97%2C+114%2C+101%2C+32%2C+111%2C+110%2C+32%2C+116%2C+104%2C+101%2C+32%2C+114%2C+105%2C+103%2C+104%2C+116%2C+32%2C+116%2C+114%2C+97%2C+99%2C+107%29&password=&confirm_password=&my_signature=&register-php-submit-button=Create+Account HTTP/1.1" 200 8015 "http://192.168.32.134/mutillidae/index.php?page=register.php" 

これも何かが入ってる。
上と同様に展開するとyou are on the right track

192.168.32.1 - - [29/Sep/2015:03:39:46 -0400] "GET /mutillidae/index.php?page=client-side-control-challenge.php HTTP/1.1" 200 9197 "http://192.168.32.134/mutillidae/index.php?page=user-info.php&username=%27+union+all+select+1%2CString.fromCharCode%28102%2C%2B108%2C%2B97%2C%2B103%2C%2B32%2C%2B105%2C%2B115%2C%2B32%2C%2B68%2C%2B97%2C%2B114%2C%2B107%2C%2B67%2C%2B84%2C%2B70%2C%2B123%2C%2B53%2C%2B113%2C%2B108%2C%2B95%2C%2B49%2C%2B110%2C%2B106%2C%2B51%2C%2B99%2C%2B116%2C%2B49%2C%2B48%2C%2B110%2C%2B125%29%2C3+--%2B&password=&user-info-php-submit-button=View+Account+Details" 

これも展開していくと…
flag is DarkCTF{5ql_1nj3ct10n}
これだ!

192.168.32.1 - - [29/Sep/2015:03:40:53 -0400] "GET /dvwa/login.php?username=did+you+get+the+flag%21&password=&Login=Login HTTP/1.1" 200 986 "http://192.168.32.134/dvwa/login.php" 

Yes