Webhacking and Security

Write-up – Secuinside 2012 – yhsj

Image

I just wanted to make a quick post about how I managed to break into the yhsj challenge we got at Secuinside CTF 2012 (that I’ve done with Big-Daddy) as I saw on multiple site quite complicated solutions… (example : http://tasteless.se/2012/06/secuinside-2012-prequals-ctf-web-writeup-beast-yhsj, btw I suggest you to take a look at their other solutions, some are quite interesting😉 )

Here’s the source part I’ll talk about:

$ck=@mysql_fetch_array(mysql_query(“select id from talk where id=’$_POST[jid]'”));

if($ck[0]) exit(“<meta http-equiv=refresh content=0;url=index.php>”);

$_POST[jpw]=md5(“zombie_$_POST[jpw]”);

$_POST[jid]=trim($_POST[jid]);

@mysql_query(“insert into talk values(‘$_POST[jid]’,’$_POST[jpw]’,’$_SERVER[REMOTE_ADDR]’)”);
echo(“<script>alert(‘Done!’);</script>”);

 If you look closely, the script is checking first if your user exist in the db, if not it insert it… What I used for my trick is that the script is doing trim(); after the check, just before the insert. Actually php’s trim() remove some character that are still detected by mysql, all I got to do is register an user:

%09admin : anypassword (%09 is a tabulation)

That’s it, it bypass the first check (%09admin don’t exist), php removes it, so it becomes admin, then includes it, problem solved in 5mn top chrono🙂

3 responses

  1. I thought I had smart solution, but you really pwned this one ^^

    June 11, 2012 at 12:33 pm

  2. W0W… you so crazy … T_T it’s very simple

    June 11, 2012 at 2:45 pm

  3. Balance

    Impressive❤

    June 12, 2012 at 4:03 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s