Username: 
Password: 
Restrict session to IP 
Questions  |  score: 5  |  6.06 7.48 7.72 |  Solved By 303 People  |  734056 views  |  since Jun 26, 2011 - 21:05:21

Blinded by the light (MySQL, Exploit)

Blinded by the light
Your mission is to extract an md5 password hash out of a database.
Your limit for this blind sql injection are 128 queries.
Again your are given the sourcecode of the vulnerable script, also as highlighted version.
To restart the challenge, you are allowed to execute a reset.

4970342d42344c5657636c3d763f68637461772f6d6f632e65627574756f792e7777772f2f3a70747468
Good luck!
GeSHi`ed PHP code for vuln.php
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
62
63
64
6566
67
68
69
7071
72
73
74
7576
77
78
79
8081
82
83
84
8586
87
88
89
9091
92
93
94
9596
97
98
99
100101
102
103
104
105106
107
108
109
110111
112
113
114
115116
117
118
119
120121
122
123
124
125126
127
128
129
130131
132
133
134
135136
137
138
139
140141
142
143
144
145146
147
148
149
150151
152
153
154
155156
<?php
########################
### Not vuln install ###
########################
 /**
 * Get the database object.
 * @return GDO_Database
 */
function blightDB(){
        static $db;
        if (!isset($db))
        {
                if (false === ($db = gdo_db_instance('localhost', BLIGHT_USER, BLIGHT_PASS, BLIGHT_DB)))                {
                        die('Cannot connect to db!');
                }
                $db->setVerbose(false);
                $db->setLogging(false);                $db->setDieOnError(false);
                $db->setEMailOnError(false);
        }
        return $db;
} 
/**
 * Create the database table.
 * @return true|false
 */function blightInstall()
{
        $db = blightDB();
        $query =
                "CREATE TABLE IF NOT EXISTS blight (".                "sessid INT(11) UNSIGNED PRIMARY KEY NOT NULL, ".
                "password CHAR(32) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL, ".
                "attemp INT(11) UNSIGNED NOT NULL DEFAULT 0 ".
                ") ENGINE=myISAM";
        return $db->queryWrite($query);}
 
 
##################
### VULNERABLE #####################
/**
 * The vulnerable login function.
 * @param string $password The unescaped string :O
 * @return true|false */
function blightVuln($password)
{
        # Do not mess with other sessions!
        if ( (strpos($password, '/*') !== false) || (stripos($password, 'blight') !== false) )        {
                return false;
        }
        
        $db = blightDB();        $sessid = GWF_Session::getSession()->getID();
        $query = "SELECT 1 FROM (SELECT password FROM blight WHERE sessid=$sessid) b WHERE password='$password'";
        return $db->queryFirst($query) !== false;
}
  
#####################
### Not vuln util ###
#####################
/** * Increase the attemp counter.
 * @return true|false
 */
function blightCountUp()
{        $db = blightDB();
        $sessid = GWF_Session::getSession()->getID();
        $query = "UPDATE blight SET attemp=attemp+1 WHERE sessid=$sessid";
        return $db->queryWrite($query);
} 
/**
 * Set the attempt counter for a session.
 * @param int $attempt
 * @return true|false */
function blightSetAttempt($attempt)
{
        $db = blightDB();
        $sessid = GWF_Session::getSession()->getID();        $attempt = (int)$attempt;
        $query = "UPDATE blight SET attemp=$attempt WHERE sessid=$sessid";
        return $db->queryWrite($query);
}
 /**
 * Reset counter and password.
 * @return true|false
 */
function blightReset(){
        $db = blightDB();
        $sessid = GWF_Session::getSession()->getID();
        $hash = GWF_Random::randomKey(32, 'ABCDEF0123456789');
        $query = "REPLACE INTO blight VALUES($sessid, '$hash', 0)";        return $db->queryWrite($query);
}
 
/**
 * Get the attemp counter. * @return int
 */
function blightAttemp()
{
        $db = blightDB();        $sessid = GWF_Session::getSession()->getID();
        $query = "SELECT attemp FROM blight WHERE sessid=$sessid";
        if (false === ($result = $db->queryFirst($query))) {
                return -1;
        }        return (int)$result['attemp'];
}
 
/**
 * Get the correct solution. * This counts as one attemp.
 * @return string|false
 */
function blightGetHash()
{        blightCountUp(); # 1 attemp
        
        $db = blightDB();
        $sessid = GWF_Session::getSession()->getID();
        $query = "SELECT password FROM blight WHERE sessid=$sessid";        if (false === ($result = $db->queryFirst($query))) {
                return false;
        }
        return $result['password'];
} 
/**
 * Init the challenge.
 * @return void
 */function blightInit()
{
        $attemp = blightAttemp();
        if ($attemp < 0)
        {                blightReset();
        }
}
 
?> 
Password:
Solution:
© 2011, 2012, 2013, 2014, 2015, 2016, 2017 and 2018 by Gizmore