search

old-51 -- SQLi (Binary MD5)

URL: https://webhacking.kr/challenge/bonus-13/arrow-up-righthttps://webhacking.kr/challenge/bonus-13/?view_source=1arrow-up-right

old-51.png
<?php
include "../../config.php";
if ($_GET["view_source"]) {
    view_source();
}
...
<?php if ($_POST["id"] && $_POST["pw"]) {
    $db = dbconnect();
    $input_id = addslashes($_POST["id"]);
    $input_pw = md5($_POST["pw"], true);
    $result = mysqli_fetch_array(
        mysqli_query(
            $db,
            "select id from chall51 where id='{$input_id}' and pw='{$input_pw}'"
        )
    );
    if ($result["id"]) {
        solve(51);
    }
    if (!$result["id"]) {
        echo "<center><font color=green><h1>Wrong</h1></font></center>";
    }
} ?>
...

The authentication code looks good, with 1 downside md5(password, true)

If we look into the php manual of md5arrow-up-right function we see that second argument specifies binary mode.

old-51-1.png

As you can see binary format can have variety of characters and one of them may be quotes.

SQL injection with raw MD5 hashes (Leet More CTF 2010 injection 300)arrow-up-right

The author of the post successfully managed to get in with this method 👀

old-51-2.png

The password is not protected with addslashes meaning if we can get FALSE_VALUE'='FALSE_VALUE which results in True we should be able to get in.

Using admin:1839431 we are able to login as admin (or any user).

Idk why, but I also decided to generate ascii one too.

Previousold-50 -- SQLi (Unicode)Nextold-52 -- SQLi + SSRF

Last updated