From Hack Evergreen Wiki
Jump to: navigation, search

NotSoSecure was a 'micro' ctf offered by SQLiLabs. It featured two challenges involving a single SQL injection vulnerability. GNU-E-Ducks were one of the few teams to complete both challenges.

Writeups in progess.

Part 1

Initially we are tasked with entering a website under the Admin user and are only presented with a login page. From here we make our first attempt with the classic string "' OR 1=1 #" in the username field and garbage in the password field. We are immediately greeted with an error message telling us that no such user exists. Another clue is echoed through the page, but it is not immediately obviously when viewed in a browser. Invoking curl on the error page will display the hexadecimal 73656365745F72 6567697374652E68746D6C which repesents the ascii "secret_register.html". Now when visiting this page we can see that we can register an account with the fields username email, password, and password confirmation. We register a dummy account with basic attributes and notice that when we log in with this account that the new cookie is set. This cookie goes by the title 'session_id' and has a value of the base64'd email address we entered. We also notice another strange phenomenon. We are able to register usernames which contain SQL metacharacters like the single-quote. This could mean one of two things, the metacharacters are being stripped out when they enter the database or they are being escaped. We realize if they are being escaped we may have a second-order SQL injection on our hands. We enter a single quote and notice that the session_id disappears, we imagine this is because the email session_id is taken from a SQL query itself, and this is where the second-order SQL injection exists. We can now start formulating an attack string for this hypothesis.

We build

"2pac' UNION SELECT password, user FROM users WHERE user = 'admin'; -- "

Imagine the PHP code that might perform this query.


$user = "select user from users where username = '" . mysql_real_escape_string($_POST['username']) . "' and password = '" . mysql_real_escape_string($_POST['password']) . "'";

// the '.' operator is string concatenation in PHP

$session_id = "select email from emails where username = '" . $user . "'";


and register a user with that username. We now login and base64 decode the session_id cookie we were given and it contains the admin's password! Now that we've logged in with the admin's credentials we are given a new challenge. "Level 2's flag is contained in secret.txt..."