Hack This Site: Realistic Mission 2
May 22, 2014Freedom of Speech
This mission links to an American Nazi party website hell bent on making sure they look as ignorant as possible. I first mouse over everything which may be a link. Hack This Site actually thought it was a good idea to link to a real American national-socialist website. Thanks a lot. Anyway, you can either just highlight the entire page, like I did, or you can view the source which will reveal the admin's login page, update.php. Also, always remember to read what you can on their websites, they often give clues on what you need to do...
Here is the page update.php. Check the source and see where and how the data is passed. It posts the data to update2.php and then checks to see if the username and password match within the database index. An SSI vulnerability will not exist due to it only being able to work if the server is displaying the text/(image) in which is processes. XSS works the same way.
User, Destroyfascism, is asking us to obtain admin access. When we check back at the main page, we see that a post organizing a racist meet-up is presented by WhiteKing. Seems like he has authority and probably admin access.
An example of a SQL vulnerability is when the website is comparing values within a database to log a user in. This is exactly what is happening on this website. Also, the submit button says "query" which is often a sign of SQL.
Also another way to tell if you have a possible SQL vulnerability is to put your known username into the field, and then just put a single quote (') into the password field. If it gives you back an error, chances are it can be injected with your own SQL.
Let's type his username back into our respective field on his update.php page. Now, there is a classic security exercise and commonly used method of putting an operator through a form field which gets processed by the server. The form will send a query when you hit submit, and it passes it like:
SELECT * FROM users WHERE username='$_GET[username]' AND password='$_GET[password]'
This query checks to make sure the corresponding values are both matching (AND operator).
We have a correct username. So it processes that correctly, but when we get to the password part of the query we have nothing. However there is a way to make that irrelevant. We can add the operator OR. With the OR operator we can use an expression like 'a'='a or '1'='1 to make the query say:
SELECT * FROM users WHERE username='$_GET[username]' AND password='$_GET[password]="'OR '1' = '1'
What it does is continues the query instead of actually ending the password query and it adds "OR if '1'='1" 1 will always = 1 so you will always get in. MAKE SURE you don't put a single quote after the ='1 because it will prematurely end the query and give you an error.
Anyway, once you hit submit you're done!
0 comments