EBCTF 2013 - Web200 Writeup
In this challenge we faced up a login form that we bypass in order to get the flag. It use a NoSQL database so no SQL injection this time. If we try to login we get always the same message that inform us the user doesn’t exists. But if we input a username with spaces in it an error is provided:
BSD licensed, advanced key-value store returned an error: -ERR wrong number of arguments for ‘get’ command
What this mean? Googling the error we discovered the query we submit is processed by Redis (http://redis.io/). With Redis for submit more than a query you havte to use the CRLF chars. W tryed this: http://22.214.171.124:5000/?action=login&username=asd%0d%0ainfo&password=asd
and a message popped out saying the SHA-1 of the database don’t match the SHA-1 of the password we supplied. So now we know that the script match the output of the query with our password hashed with SHA-1. Now a problem: how do we return a custom SHA-1 hash? The function SCRIPT LOAD help us. Infact the ECHO, PUBLISH, etc where denied so we cannot use them. As the documentation said SCRIPT LOAD return the SHA-1 of the code it loads, so just put a LUA code like this: ‘print (11)’ in username field with SCRIPT LOAD and in password field put the code so ‘print (11)’. Final query is:
http://126.96.36.199:5000/?action=login&username=j%0d%0a%0d%0a script load print(11)&password=print(11)
P.S: since the output didn’t showed up submitting a second query we must to submit a 3rd one.