MiniCTF Security Challenge 3

August 12, 2014

MiniCTF Security Challenge 3: SQL Injection

Sadly, I haven't had much time to post due to family issues. Things have changed, and now I am back. Let's get started.

Going to the third security challenge brings us a fake security company's webpage. You can read about how 1337 they are because they can change desktop backgrounds. Let's investigate further to see if we can find any way to send the server our own commands. The login page has a forum, but is protected from injection. Check by entering in a comma.

The members only page access is blocked,obviously, with no visible input. Let's check the members' directory listing. It's always a good place to look--for recon--but in this case it gives us a way to put in our own data. Please note all the users are all admins as well. Check the URL when you click one of the member's names.



Here the URL takes in data from a table, processes it and then posts it to the member-info.php. Let's see if we get an error when we put in the comma like so:

http://damo.clanteam.com/sch3/member-info.php?id=%27
Note: Normally to get this information out (it's really not useful in this example, anyway) is:


 Looks perfect for injection. The page takes in the id number (stallone's) and posts all the relevant information according to his ID. Let's use our own SQL query to get back the data we want--the usernames and passwords.




This is a short excel table I created to help understand what the query is doing. It shows a table similar to a SQL database table. Here the first table is the original which contains the information about the member. The second query is what we're entering. Instead of the query finding all of the relevant information within the original table, we're pointing it to the accounts table and it reads the username and password columns and places them in the First and Last Name fields. The UNION operator is necessary because when you click the link, and it processes the input, it asks for 5 input values. We fill those with zeroes so we don't get any funky error.





Here we get out the username, the hashed password, and the three 0s we also asked for. You can crack the hash at any basic hash cracking website. I just did a quick google search and found hashkiller:



And there you go, the password for stallone is fire!

You Might Also Like

0 comments

Popular Posts

Like us on Facebook

Flickr Images