Username: 
Password: 
Restrict session to IP 
Questions  |  score: 6  |  7.56 8.62 8.78 |  Solved By 163 People  |  438654 views  |  since Nov 18, 2011 - 20:38:34

Blinded by the lighter (MySQL, Exploit)

Blinded by the lighter
This challenge is the sequel to the "Blinded by the light" challenge.
Again your mission is to extract an md5 password hash out of the database.
This time your limit for this blind sql injection are 33 queries.
Also you have to accomplish this task 3 times consecutively, to prove you have solved the challenge.
You are also given the sourcecode of the vulnerable script, also as highlighted version.
To restart the challenge, you can execute a reset.
On the run to the great gig.
Thanks go out to dloser for his help in developing and testing the challenge.

Good luck!
GeSHi`ed PHP code for vuln.php
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
62
63
64
6566
67
68
69
7071
72
73
74
7576
77
78
79
8081
82
83
84
8586
87
88
89
9091
92
93
94
9596
97
98
99
100101
102
103
104
105106
107
108
109
110111
112
113
114
115116
117
118
119
120121
122
123
124
125126
127
128
129
130131
132
133
134
135136
137
138
139
140141
142
143
144
145146
147
148
149
150151
152
153
154
155156
157
158
159
160161
162
163
164
165166
167
168
169
170171
172
173
174
175176
177
178
179
180181
182
183
184
185186
187
188
189
190191
192
193
194
195196
197
198
199
200201
202
203
204
205206
207
208
209
210211
212
213
214
215
<?php
########################
### Not vuln install ###
########################
/** * Get the database object.
 * @return GDO_Database
 */
function blightDB()
{        static $db;
        if (!isset($db))
        {
                if (false === ($db = gdo_db_instance('localhost', BLIGHT2_USER, BLIGHT2_PASS, BLIGHT2_DB)))
                {                        die('Cannot connect to db!');
                }
                $db->setVerbose(false);
                $db->setLogging(false);
                $db->setEMailOnError(false);                $db->setDieOnError(false);
        }
        return $db;
}
 /**
 * Create the database table.
 * @return true|false
 */
function blightInstall(){
        $db = blightDB();
        $query =
                "CREATE TABLE IF NOT EXISTS blight (".
                "sessid INT(11) UNSIGNED PRIMARY KEY NOT NULL, ".                "password CHAR(32) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL, ".
                "attemp INT(11) UNSIGNED NOT NULL DEFAULT 0 ".
                ") ENGINE=myISAM";
        return $db->queryWrite($query);
} 
 
##################
### VULNERABLE ###
##################/**
 * The vulnerable login function.
 * @param string $password The unescaped string :O
 * @return true|false
 */function blightVuln($password)
{
        # Do not mess with other sessions!
        if ( (strpos($password, '/*') !== false) || (stripos($password, 'blight') !== false) )
        {                return false;
        }
                
        $db = blightDB();
        $sessid = GWF_Session::getSessSID();        $query = "SELECT 1 FROM (SELECT password FROM blight WHERE sessid=$sessid) b WHERE password='$password'";
        return $db->queryFirst($query) !== false;
}
 
 #####################
### Not vuln util ###
#####################
/**
 * Increase the attempt counter. * @return true|false
 */
function blightCountUp()
{
        $db = blightDB();        $sessid = GWF_Session::getSessSID();
        $query = "UPDATE blight SET attemp=attemp+1 WHERE sessid=$sessid";
        return $db->queryWrite($query);
}
 /**
 * Set the attempt counter.
 * @return true|false
 */
function blightSetAttempt($attempt){
        $db = blightDB();
        $attempt = (int)$attempt;
        $sessid = GWF_Session::getSessSID();
        $query = "UPDATE blight SET attemp=$attempt WHERE sessid=$sessid";        return $db->queryWrite($query);
}
 
/**
 * Reset counter and password. * @return true|false
 */
function blightReset($consec=true)
{
        if ($consec)        {
                # Reset consecutive success counter.
                blightFailed();
        }
                # Take a timestamp.
        GWF_Session::set('BLIGHT2_TIME_START', time());
        
        # Generate a new hash.
        $db = blightDB();        $sessid = GWF_Session::getSessSID();
        $hash = GWF_Random::randomKey(32, 'ABCDEF0123456789');
        $query = "REPLACE INTO blight VALUES($sessid, '$hash', 0)";
        return $db->queryWrite($query);
} 
/**
 * Get the attemp counter.
 * @return int
 */function blightAttemp()
{
        $db = blightDB();
        $sessid = GWF_Session::getSessSID();
        $query = "SELECT attemp FROM blight WHERE sessid=$sessid";        if (false === ($result = $db->queryFirst($query)))
        {
                return -1;
        }
        return (int)$result['attemp'];}
 
/**
 * Get the correct solution.
 * This counts as one attemp. * @return string|false
 */
function blightGetHash()
{
        blightCountUp(); # 1 attemp        
        $db = blightDB();
        $sessid = GWF_Session::getSessSID();
        $query = "SELECT password FROM blight WHERE sessid=$sessid";
        if (false === ($result = $db->queryFirst($query)))        {
                return false;
        }
        return $result['password'];
} 
/**
 * Init the challenge.
 * @return void
 */function blightInit()
{
        $attemp = blightAttemp();
        if ($attemp < 0)
        {                blightReset(false);
        }
}
 
############## NEW ###
###########
/**
 * You successfully hacked it one time.
 * But return false if you need a few more consecutive hacks to solve the chall. * @return true|false
 */
function blightSolved()
{
        $solvecount = GWF_Session::getOrDefault('BLIGHT2_CONSECUTIVE', 0);        $solvecount++;
        
        blightReset(false);
        
        if ($solvecount >= BLIGHT2_CONSEC)        {
                GWF_Session::remove('BLIGHT2_CONSECUTIVE');
                return true;
        }
                GWF_Session::set('BLIGHT2_CONSECUTIVE', $solvecount);
        return false;
}
 
/** * Reset consecutive success counter.
 * @return void
 */
function blightFailed()
{        GWF_Session::set('BLIGHT2_CONSECUTIVE', 0);
}
 
/**
 * Check if you were too slow. * @return true|false
 */
function blightTimeout()
{
        if (false === ($start = GWF_Session::getOrDefault('BLIGHT2_TIME_START', false)))        {
                return true;
        }
        else
        {                return (time() - $start) > BLIGHT2_TIME;
        }
}
?>
 
Password:
Solution:
© 2011, 2012, 2013, 2014, 2015, 2016, 2017 and 2018 by kwisatz