webhacking.kr - 0ldzombie challenge writeup 7

Aug 8, 2015 • webchallenges, 0ldzombie

So here we are, at level 7. One defect with this challenge site is that since this is not in the increasing order of difficulty, we cannot say that challenges will get more difficult as we crack more since that is how usual challenge sites works!

Note: I am putting up the write up so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.

Challenge 7

Now let us look into challenge 7. In the source file, you can immediately understand that the challenge is to inject SQL !

<?
$answer = "????";

$go=$_GET[val];

if(!$go) { echo("<meta http-equiv=refresh content=0;url=index.php?val=1>"); }

$ck=$go;

$ck=str_replace("*","",$ck);
$ck=str_replace("/","",$ck);

echo("<html><head><title>admin page</title></head><body bgcolor='black'><font size=2 color=gray><b><h3>Admin page</h3></b><p>");

if(eregi("--|2|50|\+|substring|from|infor|mation|lv|%20|=|!|<>|sysM|and|or|table|column",$ck)) exit("Access Denied!");

if(eregi(' ',$ck)) { echo('cannot use space'); exit(); }

$rand=rand(1,5);

if($rand==1)
{
$result=@mysql_query("select lv from lv1 where lv=($go)") or die("nice try!");
}

if($rand==2)
{
$result=@mysql_query("select lv from lv1 where lv=(($go))") or die("nice try!");
}

if($rand==3)
{
$result=@mysql_query("select lv from lv1 where lv=((($go)))") or die("nice try!");
}

if($rand==4)
{
$result=@mysql_query("select lv from lv1 where lv=(((($go))))") or die("nice try!");
}

if($rand==5)
{
$result=@mysql_query("select lv from lv1 where lv=((((($go)))))") or die("nice try!");
}

$data=mysql_fetch_array($result);
if(!$data[0]) { echo("query error"); exit(); }
if($data[0]!=1 && $data[0]!=2) { exit(); }

if($data[0]==1)
{
echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=
alert('Access_Denied!')><p>");
echo("<!-- admin mode : val=2 -->");
}

if($data[0]==2)
{
echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=
alert('Congratulation')><p>");
@solve();
}

?>

You can see clearly see that some common keywords from SQL are filtered and if we use the same, we get the message Access Denied. But to my surprise the most used keywords in SQL, ie, select and union where not filtered. Also from the source code, we can successfully login as admin only if we get the value 2. So we simply have to select the value 2. But the main problem here was that spaces are filtered. Without spaces, its difficult to craft a correct query. So I just looked into some filter evading techniques and I came to know that un-printable characters will be taken as spaces in MYSQL.

So where ever I need space, I used %0a and this leads to a successful bypass. The payload looks like this:

http://webhacking.kr/challenge/web/web-07/index.php?val=13)%0Aunion%0aselect%0a(5-3

You might have to refresh the injection several times since this payload will work only if the rand value selected is 1. If you are lucky enough, you will get it at the first shot ;). Hope this helps !

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE