Security Challenge VI

h57xiucj2z946q · 21-10-2011 11:46pm #1

Did this one up quickly based on a previous one (not as difficult though!). Some may recognize it. Hope there are no bugs :P

http://damo.clanteam.com/sch6/

Usual rules:
- Find weaknesses and flaws in the website design.
- Find a way to enter your name on the hall of fame based on these weaknesses and flaws.

- Do NOT hammer the web-server, there is no need to run port/vulnerability scanners or web brute forcers against the server. It's not needed and won't help for this challenge.
- Any abusing the challenge will result in it been took offline.

dlofnep · 22-10-2011 1:05am

Thanks Damo, giving it a look now

endz · 22-10-2011 10:27am

Thanks, will have a look later.

dlofnep · 23-10-2011 12:55am

That was pretty tough. Thanks!

Sigtran · 23-10-2011 11:03am

Thanks Damo

will have a look next week, if its still up -))

h57xiucj2z946q · 23-10-2011 2:37pm

Anyone need hints?

pacquiao · 23-10-2011 7:08pm

Going to give it a bash now

pacquiao · 23-10-2011 8:31pm

Is this an

sql injection type challenge?

h57xiucj2z946q · 23-10-2011 8:45pm

pacquiao wrote: »

Is this an
sql injection type challenge?

yes

pacquiao · 23-10-2011 9:32pm

I'm not making any progress. I'll will try it again tomorrow

dlofnep · 23-10-2011 9:41pm

To be fair - you probably won't make anymore progress without more hints.

It doesn't involve SQLi in it's traditional sense through normal attack vectors.

There's a few things to figure out. The challenge is quite difficult. Don't be afraid to ask for hints or tips - I needed a few myself to get past it.

h57xiucj2z946q · 24-10-2011 10:43am

Remember me!

dlofnep · 24-10-2011 3:57pm

I think they'll probably have figured that much out already

h57xiucj2z946q · 24-10-2011 4:23pm

+SQLi me!.. cookie style

dlofnep · 25-10-2011 2:53pm

Damo, perhaps if you removed that last 5% of the challenge - it might give people a better chance at getting it. I think it might be throwing alot of people off otherwise. I know it did for me.

h57xiucj2z946q · 25-10-2011 4:01pm

Strong hint:

http://www.yaboukir.com/cookie-based-sql-injection/

Redshift · 25-10-2011 6:56pm

I Have few mins to look at this tonight

Am I right in thinking another value also has to be recalculated to achieve this?

h57xiucj2z946q · 25-10-2011 10:08pm

kinda, should be straight forward when you spot what it is.

Redshift wrote: »

I Have few mins to look at this tonight
Am I right in thinking another value also has to be recalculated to achieve this?

Redshift · 26-10-2011 12:19am

Thanks Damo, I didn't really get to look at it tonight

The joys on being on call :rolleyes:

h57xiucj2z946q · 26-10-2011 10:36am

Redshift wrote: »

Thanks Damo, I didn't really get to look at it tonight
The joys on being on call :rolleyes:

http://en.wikipedia.org/wiki/Category:Checksum_algorithms

pacquiao · 26-10-2011 1:34pm

I'll give it another shot tonight.

h57xiucj2z946q · 26-10-2011 4:12pm

People having trouble with commenting out, use: "-- ". (without the double quotes, note the space) Note: something is bound to trim() that whitespace, even your base64 encoder might!, therefore to be honest, its probably just easier to use something like "-- --" or "-- blah" instead for commenting out, then you don't need to worry about whitespaces.

Also base64 encoders, make sure you decode your encode to check it stays the same, seen some encoders on some websites escape certain chars e.g. ' goes to \'.

h57xiucj2z946q · 27-10-2011 10:32am

Are these hints helping anyone?

dlofnep · 28-10-2011 2:46pm

They helped me just fine

h57xiucj2z946q · 30-10-2011 3:28pm

I dropped more hints onto: http://http://damo.clanteam.com/sch6/ you see them after you log in (tick remember me), look at page source.

Also:

"-- --" or "-- x"

Razzuh · 31-10-2011 6:57pm

harhar! I finally got it. I'd never have got there without all the hints though! Those last two really helped in particular. Thanks for the challenge Damo, twas my first, a good learning experience.

h57xiucj2z946q · 31-10-2011 7:05pm

Razzuh wrote: »

harhar! I finally got it. I'd never have got there without all the hints though! Those last two really helped in particular. Thanks for the challenge Damo, twas my first, a good learning experience.

Nice one, glad you enjoyed it.

Razzen · 02-11-2011 1:23pm

finally! I was so close from day one, just stupid errors in my injection. Thanks for great challenge!

h57xiucj2z946q · 03-11-2011 12:43pm

https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/?src=search
http://crc32-checksum.waraxe.us/
http://base64-encoder-online.waraxe.us/

h57xiucj2z946q · 20-12-2011 1:08pm

Solution for http://damo.clanteam.com/sch6

- Create a user account
- Log in, tick remember me (this creates a local cookie)
- You are now logged in as your newly created user.

A log in would be similar to php sending a query of to SQL server similar to:

SELECT id, username, role FROM users WHERE username = 'dabomb' AND password = '0c2bd965e578e65d69ffb24b4603aab7602ce9373313f3cff09cdec8e12f5b5ea847e4d575080032de3c063e44bb81e25e9f23942a46295a237496f9eebb4a98'

Use Cookie Manager+ for Firefox or something to mess with the cookie that has been saved after logging in.

You may have noticed by trial and error experimenting or just by looking at the cookie values that:
- username is base64 encoded.
- password is SHA5-12'ed then base64 encoded
- checksum is a CRC32 on the username.

- Lets login as 'admin' by performing SQL injection by tampering with the cookie.

Use the username: admin'-- -- The -- -- is a comment for mysql. This way you can ignore the rest of the query. The double -- -- avoids any space trimming mysql, php or any other layer may perform.

To login as admin, you must produce a valid cookie.

base64 encode: admin'-- --
YWRtaW4nLS0gLS0=

CRC32: admin'-- --
B7C85F67

Ignore the password as the query will never get that far due to your commenting out (-- --).

Query may look similar to:

SELECT id, username, role FROM users WHERE username = 'admin'-- --' AND password = '0c2bd965e578e65d69ffb24b4603aab7602ce9373313f3cff09cdec8e12f5b5ea847e4d575080032de3c063e44bb81e25e9f23942a46295a237496f9eebb4a98'

Which really is now:

SELECT id, username, role FROM users WHERE username = 'admin'

Change your cookie with Cookie Manager+ or similar:

Go back to http://damo.clanteam.com/sch6 in your browser. Hit refresh (F5) and woo you are Now Admin.

Click on Members Only area. Now you can submit a name to hall of fame.

See:

So that's really it. I don't really think there is enough interest or demand in here for further challenges, so thanks to all did all the previous ones.

dlofnep · 20-12-2011 3:30pm

I'm appreciative of all the challenges you have designed Damo.

Security Challenge VI

Comments