Write-up – Secuinside 2012 – yhsj
I just wanted to make a quick post about how I managed to break into the yhsj challenge we got at Secuinside CTF 2012 (that I’ve done with Big-Daddy) as I saw on multiple site quite complicated solutions… (example : http://tasteless.se/2012/06/secuinside-2012-prequals-ctf-web-writeup-beast-yhsj, btw I suggest you to take a look at their other solutions, some are quite interesting 😉 )
Here’s the source part I’ll talk about:
$ck=@mysql_fetch_array(mysql_query(“select id from talk where id=’$_POST[jid]'”));
if($ck[0]) exit(“<meta http-equiv=refresh content=0;url=index.php>”);
$_POST[jpw]=md5(“zombie_$_POST[jpw]”);
$_POST[jid]=trim($_POST[jid]);
@mysql_query(“insert into talk values(‘$_POST[jid]’,’$_POST[jpw]’,’$_SERVER[REMOTE_ADDR]’)”);
echo(“<script>alert(‘Done!’);</script>”);
If you look closely, the script is checking first if your user exist in the db, if not it insert it… What I used for my trick is that the script is doing trim(); after the check, just before the insert. Actually php’s trim() remove some character that are still detected by mysql, all I got to do is register an user:
%09admin : anypassword (%09 is a tabulation)
That’s it, it bypass the first check (%09admin don’t exist), php removes it, so it becomes admin, then includes it, problem solved in 5mn top chrono 🙂
I thought I had smart solution, but you really pwned this one ^^
June 11, 2012 at 12:33 pm
W0W… you so crazy … T_T it’s very simple
June 11, 2012 at 2:45 pm
Impressive ❤
June 12, 2012 at 4:03 am