Blinded by the lighter (MySQL, Exploit)
Blinded by the lighter
This challenge is the sequel to the "Blinded by the light" challenge.
Again your mission is to extract an md5 password hash out of the database.
This time your limit for this blind sql injection are 33 queries.
Also you have to accomplish this task 3 times consecutively, to prove you have solved the challenge.
You are also given the sourcecode of the vulnerable script, also as highlighted version.
To restart the challenge, you can execute a reset.
On the run to the great gig.
Thanks go out to dloser for his help in developing and testing the challenge.
Good luck!
Again your mission is to extract an md5 password hash out of the database.
This time your limit for this blind sql injection are 33 queries.
Also you have to accomplish this task 3 times consecutively, to prove you have solved the challenge.
You are also given the sourcecode of the vulnerable script, also as highlighted version.
To restart the challenge, you can execute a reset.
On the run to the great gig.
Thanks go out to dloser for his help in developing and testing the challenge.
Good luck!
GeSHi`ed PHP code for vuln.php
1 2 3 4 56 7 8 9 1011 12 13 14 1516 17 18 19 2021 22 23 24 2526 27 28 29 3031 32 33 34 3536 37 38 39 4041 42 43 44 4546 47 48 49 5051 52 53 54 5556 57 58 59 6061 62 63 64 6566 67 68 69 7071 72 73 74 7576 77 78 79 8081 82 83 84 8586 87 88 89 9091 92 93 94 9596 97 98 99 100101 102 103 104 105106 107 108 109 110111 112 113 114 115116 117 118 119 120121 122 123 124 125126 127 128 129 130131 132 133 134 135136 137 138 139 140141 142 143 144 145146 147 148 149 150151 152 153 154 155156 157 158 159 160161 162 163 164 165166 167 168 169 170171 172 173 174 175176 177 178 179 180181 182 183 184 185186 187 188 189 190191 192 193 194 195196 197 198 199 200201 202 203 204 205206 207 208 209 210211 212 213 214 215 | <?php ######################## ### Not vuln install ### ######################## /** * Get the database object. * @return GDO_Database */ function blightDB() { static $db; if (!isset($db)) { if (false === ($db = gdo_db_instance('localhost', BLIGHT2_USER, BLIGHT2_PASS, BLIGHT2_DB))) { die('Cannot connect to db!'); } $db->setVerbose(false); $db->setLogging(false); $db->setEMailOnError(false); $db->setDieOnError(false); } return $db; } /** * Create the database table. * @return true|false */ function blightInstall(){ $db = blightDB(); $query = "CREATE TABLE IF NOT EXISTS blight (". "sessid INT(11) UNSIGNED PRIMARY KEY NOT NULL, ". "password CHAR(32) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL, ". "attemp INT(11) UNSIGNED NOT NULL DEFAULT 0 ". ") ENGINE=myISAM"; return $db->queryWrite($query); } ################## ### VULNERABLE ### ##################/** * The vulnerable login function. * @param string $password The unescaped string :O * @return true|false */function blightVuln($password) { # Do not mess with other sessions! if ( (strpos($password, '/*') !== false) || (stripos($password, 'blight') !== false) ) { return false; } $db = blightDB(); $sessid = GWF_Session::getSessSID(); $query = "SELECT 1 FROM (SELECT password FROM blight WHERE sessid=$sessid) b WHERE password='$password'"; return $db->queryFirst($query) !== false; } ##################### ### Not vuln util ### ##################### /** * Increase the attempt counter. * @return true|false */ function blightCountUp() { $db = blightDB(); $sessid = GWF_Session::getSessSID(); $query = "UPDATE blight SET attemp=attemp+1 WHERE sessid=$sessid"; return $db->queryWrite($query); } /** * Set the attempt counter. * @return true|false */ function blightSetAttempt($attempt){ $db = blightDB(); $attempt = (int)$attempt; $sessid = GWF_Session::getSessSID(); $query = "UPDATE blight SET attemp=$attempt WHERE sessid=$sessid"; return $db->queryWrite($query); } /** * Reset counter and password. * @return true|false */ function blightReset($consec=true) { if ($consec) { # Reset consecutive success counter. blightFailed(); } # Take a timestamp. GWF_Session::set('BLIGHT2_TIME_START', time()); # Generate a new hash. $db = blightDB(); $sessid = GWF_Session::getSessSID(); $hash = GWF_Random::randomKey(32, 'ABCDEF0123456789'); $query = "REPLACE INTO blight VALUES($sessid, '$hash', 0)"; return $db->queryWrite($query); } /** * Get the attempt counter. * @return int */function blightAttemp() { $db = blightDB(); $sessid = GWF_Session::getSessSID(); $query = "SELECT attemp FROM blight WHERE sessid=$sessid"; if (false === ($result = $db->queryFirst($query))) { return -1; } return (int)$result['attemp'];} /** * Get the correct solution. * This counts as one attempt. * @return string|false */ function blightGetHash() { blightCountUp(); # 1 attempt $db = blightDB(); $sessid = GWF_Session::getSessSID(); $query = "SELECT password FROM blight WHERE sessid=$sessid"; if (false === ($result = $db->queryFirst($query))) { return false; } return $result['password']; } /** * Init the challenge. * @return void */function blightInit() { $attempt = blightAttemp(); if ($attempt < 0) { blightReset(false); } } ############## NEW ### ########### /** * You successfully hacked it one time. * But return false if you need a few more consecutive hacks to solve the chall. * @return true|false */ function blightSolved() { $solvecount = GWF_Session::getOrDefault('BLIGHT2_CONSECUTIVE', 0); $solvecount++; blightReset(false); if ($solvecount >= BLIGHT2_CONSEC) { GWF_Session::remove('BLIGHT2_CONSECUTIVE'); return true; } GWF_Session::set('BLIGHT2_CONSECUTIVE', $solvecount); return false; } /** * Reset consecutive success counter. * @return void */ function blightFailed() { GWF_Session::set('BLIGHT2_CONSECUTIVE', 0); } /** * Check if you were too slow. * @return true|false */ function blightTimeout() { if (false === ($start = GWF_Session::getOrDefault('BLIGHT2_TIME_START', false))) { return true; } else { return (time() - $start) > BLIGHT2_TIME; } } ?> |
© 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by kwisatz