0

I found myself writing up a test for a Security Auditor in the company where I work; and by doing this I found a CTF challenge that I still can not solve.

If figured out it would be good to ask you guys to see what you think.

The link is https://2013.picoctf.com/problems/php3/

The description of the test says to pay attention to how the md5 function is used, specially the last parameter set to true.

The snippet reads:

$pass = md5($_POST[pass], True);
$query = @mysql_fetch_array(mysql_query("select user from php3 where (user='$user') and (pw='$pass')"));

And the md5() with true at the end means md5 will return the raw representation rather than the string representation:

If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16.

Having this into consideration, do you have any idea on what's the procedure to pass this test?

I guess it has something to do with the way MySQL will compare a string with a binary representation, ie something similar to Why md5('240610708') is equal to md5('QNKCDZO')? and related to the float comparison described in http://dev.mysql.com/doc/refman/5.7/en/type-conversion.html

mysql> SELECT '18015376320243458' = 18015376320243458;
-> 1
mysql> SELECT '18015376320243459' = 18015376320243459;
-> 0

Can you help me understand this challenge?

Community
  • 1
  • 1
Nico Andrade
  • 880
  • 5
  • 16
  • don't use `mysql_` functions they are deprecated – Blueblazer172 Nov 09 '16 at 16:41
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! ***SQL Injection!*** *It's not just for breakfast any more!* – Jay Blanchard Nov 09 '16 at 16:42
  • ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Nov 09 '16 at 16:42

2 Answers2

0

It's a simple SQL Injection, Try this as username:

admin') #

# will ignore the rest of the query(make it comment)

Nima Ghotbi
  • 641
  • 3
  • 9
  • Thanks for the prompt reply! I saw that, but disregarded it because in the challenge description it said "watch at the md5 2nd parameter and how it's used"; so I focused on that, assuming the actual challenge was not the injection with # (which was pretty obvious). I guess I should have had mention that in my question. Anyways, thanks! – Nico Andrade Nov 09 '16 at 17:00
  • 1
    I don't get it... what's the funny part? – Nima Ghotbi Nov 09 '16 at 17:00
0
mysql> SELECT user from php3 where (user='admin') and (pw=0e55555555555555);

will return desired data.

Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Ahmed Safa
  • 1
  • 1