Wednesday, March 31, 2010

Codegate 2010 challenge 9

In this challenge we see a web application form with three fields: no, id and pw, with default values (1, guest and guest respectively). Our goal is to login as the administrator.


After some basic tests, we suspect the field no (supposed to be numeric) is vulnerable to SQL injection, but with some added difficulties, because it is filtered. The application will return “Access denied” if the injection contains words like and, or, into, from, /, spaces, quotes and so on.


To bypass the filter, we can replace the following:
• A space with a tabulator (url-encoded as %09)
• The or operator with ||
• The and operator with & (url-encoded as %26)
• Strings literals with hex notation (ex: 'abc' = 0x616263)


Then, we can build and automate a blind SQL injection like this:

index.php?id=guest&pw=guest&no=1||1%09group%09by%09id%09having%09pw>0x61…


We get the password of the first form: rEAD:/TMP/ADMIN_PASSWORD


Unfortunately, it was not the final password, but only a hint (we have to read this file). Because the database was MySQL, we achieved this goal using the load_file() built-in function (remember: we must hex-encode the target file name), injecting as follows:


…&no=1%26(load_file(0x2f746d702f61646d696e5f70617373776f7264)>0x00…)


We get the final key: 0da65a3fde3f2b928ff15b629bcdeebf

No comments:

Post a Comment