We have a simple form with login and password. There is an SQL injection, but a WAF blocks any attempt to bypass it. First step to solve this task was to reveal the contents of the script by requesting index.phps:
<?php
include 'flag.php';
if(!isset($_POST['username']) || !isset($_POST['password'])) {
print <<<FORM
<form method=POST>
<input type=text name=username></input>
<input type=password name=password></input>
<input type=submit></input>
</form>
FORM;
die;
}
$this_is_baaad = array("union", "select", "from", "where", "join", "sleep", "benchmark", ",", "(", ")");
foreach($this_is_baaad as $srsly) {
if(stripos($_POST['username'], $srsly) !== false) {
print "Do not try to trick me!";
die;
}
}
$q = mysql_query("SELECT * FROM users WHERE username = '{$_POST['username']}'");
if(mysql_num_rows($q) == 1) {
$user = mysql_fetch_array($q);
if($user['password'] == $_POST['password']) {
print $flag;
} else {
print "Login failed!";
}
} else {
print "Login failed!";
}
The first thing we see is that the password does not get into the SQL query, so we need to use at least UNION, but it is blocked. Guys from PPP tried time delaying heavy queries that do not rely on sleep() or becnhmark(), however the right way to solve this task is as follows. Firstly, one notices that passwords are compared using == operator, and secondly the GROUP operator is not filtered. In MySQL this operator can be used with some interesting modifier: WITH ROLLUP
The GROUP BY clause permits a WITH ROLLUP modifier that causes extra rows to be added to the summary output.
If you use column password on GROUP BY WITH ROLLUP, you will get an extra empty row. And as NULL and empty string if compared with operator == are equal it is possible to bypass the authorization using the following query:
admin' GROUP BY password WITH ROLLUP LIMIT 1,1-- -
