Wednesday, March 31, 2010

Codegate 2010 challenge 19

We have to find a clue about a guy that probably committed suicide, and only a FAT image file (from his phone) is provided. This challenge is very easy if you are lucky to find the key, but it can take a lot of time if not, because we don’t know exactly what we are looking for.

I started opening the mail and web cache files, but there was a lot of garbage, so I decided to change the strategy, opening the entire volume directly in a hex editor and searching for terms like “suicide”. Then, I found some more garbage, but fortunately in the same fragment (very close to this word), I saw a Google search with an odd string (where can i buy potassium cyanide), and this was the key of the challenge.

Codegate 2010 challenge 9

In this challenge we see a web application form with three fields: no, id and pw, with default values (1, guest and guest respectively). Our goal is to login as the administrator.


After some basic tests, we suspect the field no (supposed to be numeric) is vulnerable to SQL injection, but with some added difficulties, because it is filtered. The application will return “Access denied” if the injection contains words like and, or, into, from, /, spaces, quotes and so on.


To bypass the filter, we can replace the following:
• A space with a tabulator (url-encoded as %09)
• The or operator with ||
• The and operator with & (url-encoded as %26)
• Strings literals with hex notation (ex: 'abc' = 0x616263)


Then, we can build and automate a blind SQL injection like this:

index.php?id=guest&pw=guest&no=1||1%09group%09by%09id%09having%09pw>0x61…


We get the password of the first form: rEAD:/TMP/ADMIN_PASSWORD


Unfortunately, it was not the final password, but only a hint (we have to read this file). Because the database was MySQL, we achieved this goal using the load_file() built-in function (remember: we must hex-encode the target file name), injecting as follows:


…&no=1%26(load_file(0x2f746d702f61646d696e5f70617373776f7264)>0x00…)


We get the final key: 0da65a3fde3f2b928ff15b629bcdeebf