|
| 1 | +# RuCTF Finals 2023 | SCP |
| 2 | + |
| 3 | +## Description |
| 4 | + |
| 5 | +[SCP Foundation](https://ru.wikipedia.org/wiki/SCP_Foundation) |
| 6 | + |
| 7 | +SCP - service that works with scp documents and provides query language to manipulate documents. This language can create, aggregate documents and hide some information in documents. |
| 8 | + |
| 9 | +## Vulnerability |
| 10 | + |
| 11 | +### First way |
| 12 | + |
| 13 | +1. Let's start analyze from frontend. We can see that frontend sends some queries `@doc <- {(${offset}, ${limit}) -> list};{(@doc) -> result};`. Server returns response that contains some id and owner. |
| 14 | +But frontend makes other query `@docId <- ${id};@doc <- {(@docId) -> get};{(@doc) -> result}`, This query returns some text with `ДАННЫЕ УДАЛЕНЫ` and we can realize that here is something hidden. |
| 15 | +1. So we have some query language that makes some queries and hide some fields. Let's try to analyze binary file. |
| 16 | + |
| 17 | +### First way |
| 18 | +1. By searching `token` in binary we can find SQL queries and recognize that user identify by token |
| 19 | +2. Let's try to find variables linked with user by pattern `@user`. We can find `@userspace` |
| 20 | +3. Now we can try to put `@userspace = "{some_username}"` and get document with `{user_name}` owner. Magic! it returns hidden fields. |
| 21 | + |
| 22 | +### Second way |
| 23 | +1. By searching .java in binary we can find all Java classes. In a few minutes or hours we can find `Specials.java` and one line below `USER_SPACE({*})`. |
| 24 | +We know that string with prefix `@` is a variable, and we have `Specials.java` with `USER_SPACE`. Let's suppose that `USER_SPACE` is special variable and try to find `@user` and we get `@userspace`. |
| 25 | +1. Now we can try to put `@userspace = "{some_username}"` and get document with `{user_name}` owner. Magic! it returns hidden fields. |
| 26 | + |
| 27 | +## Sploit |
| 28 | + |
| 29 | +1. First of all we need to get documents with owner. It possible to do with query |
| 30 | +``` |
| 31 | + @docs <- {(0, 50) -> list}; |
| 32 | + {(@docs) -> result}; |
| 33 | +``` |
| 34 | +2. We have users with their documents. Now we need rewrite `@userspace` and get every document |
| 35 | +``` |
| 36 | + for doc, user in doc_with_user: |
| 37 | + userspace = f'@userspace <- "{u}";' |
| 38 | + doc = '@doc <- {(' + d + ') -> get};' |
| 39 | + res = '{(@doc) -> result};' |
| 40 | + query = userspace + doc + res |
| 41 | +``` |
| 42 | +3. Make request with rewritten `@userspace`. Congrats! |
| 43 | + |
| 44 | + |
| 45 | +## Defense |
| 46 | + |
| 47 | +1. We need to forbid change `@userspace` from request. We know that `@userspace` determine by token |
| 48 | +2. By searching `TOKEN` we can find enum that contains `SCPQL` and `TOKEN` |
| 49 | +3. By searching `scpql` we can find `server.pragmaAuth=scpql`. Little thinking and we recognize that it is auth property |
| 50 | +4. We can replace `server.pragmaAuth=scpql` with `server.pragmaAuth=token` and forbid redefinition of `@userspace` |
0 commit comments