30
Sep
2012

CSAW 2012 – Web 200

A simple web-based challenge, where anyone can create their own account and login. The goal is to login as Administrator, but we don’t know the password 🙁

The source code for the login.php file is provided:

<?php
    $good = true;
    include('mysql.php');
    $key = 'key{...}';
    $auth = false;
    $admin = false;
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        $mysql->real_query('SELECT * FROM `csaw`.`users` 
           WHERE `user` LIKE "' . 
          $mysql->real_escape_string($_POST['user']) . '";');
        if ($mysql->errno != 0) {
            echo('Error.');
        } else {
            $result = $mysql->store_result();
            while ($row = $result->fetch_assoc()) {
                if ( $_POST['pass'] == $row['pass'] ) {
                    $auth = true;
                }
                if ( $row['user'] == 'Administrator' ) {
                    $admin = true;
                }
            }
        }
        if ( $auth && $admin ) {
            echo( $key );
        }
    }
?>

The user parameter is escaped so we can’t easily inject SQL code, however the query uses LIKE which accepts % as a wildcard. If we supply username a% all records beginning with a will be returned. Since administrator begins with a the admin flag will be set. If we also know the password of a single user which starts with a the auth flag will also be set and we’re in.

We solved it by registering an account called abc with password abc and logging in with username a% and password abc.

This yields the flag: key{6e6a5f85aa6880aa3d4bd1f0477b149d}

{5 Responses to “CSAW 2012 – Web 200”}

  1. if your username is ‘abc’, shouldn’t this line fail?


    if ( $row[‘user’] == ‘Administrator’ ) {
    $admin = true;
    }

    an_animal
  2. if your username is ‘abc’, shouldn’t this line fail?


    if ( $row[‘user’] == ‘Administrator’ ) {
    $admin = true;
    }

    an_animal
  3. ah right, it works, because there is a while there…….ok, thanks!

    an_animal
  4. ah right, it works, because there is a while there…….ok, thanks!

    an_animal
  5. Wait..
    SQLi isnt case-sensitive ?

    a% works. is it same as A%

    Nice post
    Thanks
    Yogeesh Seralathan