Write-up – Secuinside 2012 – yhsj

I just wanted to make a quick post about how I managed to break into the yhsj challenge we got at Secuinside CTF 2012 (that I’ve done with Big-Daddy) as I saw on multiple site quite complicated solutions… (example : http://tasteless.se/2012/06/secuinside-2012-prequals-ctf-web-writeup-beast-yhsj, btw I suggest you to take a look at their other solutions, some are quite interesting 😉 )

Here’s the source part I’ll talk about:

$ck=@mysql_fetch_array(mysql_query(“select id from talk where id=’$_POST[jid]'”));

if($ck[0]) exit(“<meta http-equiv=refresh content=0;url=index.php>”);

$_POST[jpw]=md5(“zombie_$_POST[jpw]”);

$_POST[jid]=trim($_POST[jid]);

@mysql_query(“insert into talk values(‘$_POST[jid]’,’$_POST[jpw]’,’$_SERVER[REMOTE_ADDR]’)”);
echo(“<script>alert(‘Done!’);</script>”);

 If you look closely, the script is checking first if your user exist in the db, if not it insert it… What I used for my trick is that the script is doing trim(); after the check, just before the insert. Actually php’s trim() remove some character that are still detected by mysql, all I got to do is register an user:

%09admin : anypassword (%09 is a tabulation)

That’s it, it bypass the first check (%09admin don’t exist), php removes it, so it becomes admin, then includes it, problem solved in 5mn top chrono 🙂