Write-Up Advent of CTF 2020 Challenge 5
Overview
The NOVI University Of Applied Sciences is offering an Advent CTF challenge for December 2020.
The CTF is created by our community member of the Hackdewereld.nl and Chief Lecturer for Cyber Security at the NOVI University, Arjen Wiersma. If you want to participate in these CTF challenges, you can create an account on the website https://www.adventofctf.com
.
Challenge 5
- Description: Again a login form stands in your way. What powerful ‘hacker’ tool will help you proceed?
- 500 points
Let’s start with the fifth challenge! After entering the CTF URL, I got redirected to a login page. At the bottom of the login form, there is the message visible: A classic, with a twist.
When I come across a login form, I try a basic SQL Injection, by first placing a single quote (‘) in the login form. Then, I try to use this SQL Injection:
username: ' OR '1'='1';
password: ' OR '1'='1';
There is a MySQL error visible. This login form is vulnerable for SQL Injection.
Most websites have a connection to a MySQL database at the back-end. This MySQL stores information that can be requested by the website at the front-end to show the information to the requester. The usernames and passwords are also stored in this database. If the programmer did not securely build the code on the website, an attacker can manipulate the MySQL query from the website to the MySQL database, it allows an attacker to view data that they are not normally able to retrieve.
A basic query, for a login form, can be as follows:
1
SELECT * FROM users where username='admin' and password='mypassword'
As I already said, this login form is vulnerable for SQL Injection. The data I put in the form, evaluates to the SQL query:
1
SELECT * FROM users where username='admin' AND TRUE
It takes the row where the username is admin
and says that the password is always TRUE. But, I receive an SQL error, so I have to find an another way to login to this server.
Solution
I tried some SQL injections but received SQL errors. After trying further, the solution is to comment out the SQL query, before it evaluates the password. So, I filled in the username admin' --
Space after the comment is intended, read here the explanation on the knowledgebase of MariaDB: https://mariadb.com/kb/en/comment-syntax/. It doesn’t matter which password you will use, because that part will be handled as a comment.
With this payload, the actual query will be:
1
SELECT * FROM users where username='admin'-- and password='mypassword'
After hitting the ‘Submit’ button, I’m logged in and can retrieve the flag: NOVI{th3_classics_with_a_7wis7}
.
Thanks for reading!