March 14, 2019
Hi, I’m Minty Candycane.
Can you help me? I’m in a bit of a fix.
I need to make a nametag for an employee, but I can’t remember his first name.
Maybe you can figure it out using this Cranberry Pi terminal?
The Santa’s Castle Onboarding System? I think it’s written in PowerShell, if I’m not mistaken.
PowerShell itself can be tricky when handling user input. Special characters such as & and ; can be used to inject commands.
I think that system is one of Alabaster’s creations, He’s a little ... obsessed with SQLite database storage.
I don’t know much about SQLite, just the .dump command.
PowerShell Command Injection > PowerShell Call/& Operator
SQLite3 .dump’ing > SQLite3 Data Dump
https://www.digitalocean.com/community/questions/how-do-i-dump-an-sqlite-database
1- First let’s shape our command that we need to dump the database:sqlite3 dbname.db .dump
2- We need to know our database name so Let’s try the options :
Option 1 > doesn’t show any data or error
Option 2 > test a random url here > kringlecon.com
Our database name : onboard.db
3- Adding the call operator &
to command to allows us to execute our command , the &
call operator will force PowerShell to treat the string as a command to be executed, Also at the end we will add ; to separating commands with Semicolons : & sqlite3 onboard.db .dump;
You can find more about separating Commands with Semicolons here : https://docstore.mik.ua/orelly/unix3/upt/ch28_16.htm
4- Let’s try injection with our command in option 2:
Great ! successful Command Injection.
5- Select output from terminal and copy to notepad or you can use Online SQLite viewer like https://sqliteonline.com/
6- Search for the employee with last name Chan, we will find one employee as following:INSERT INTO “onboard” VALUES(84,’Scott’,’Chan’,’48 Colorado Way’,NULL,’LosAngeles’,’90067’,’4017533509’,’[email protected]’);
7- Enter the first name Scott into runtoanswer
same as we did our command injection : & runtoanswer
Thank you so much for your help! I’ve gotten Mr. Chan his name tag. I’d love to repay the favor.
Have you ever visited a website and seen a listing of files - like you’re browsing a directory? Sometimes this is enabled on web servers.
This is generally unwanted behavior. You can find sleighloads of examples by searching the web for index.of.
On a website, it’s sometimes as simple as removing characters from the end of a URL.
What a silly misconfiguration for leaking information!
Finding Browsable Directories
On a website, finding browsable directories is sometimes as simple as removing characters from the end of a URL.
Website Directory Browsing
https://portswigger.net/kb/issues/00600100_directory-listing