English [MMA 2015] [Web – Login as Admin] Write Up

Description

Login as admin and retrieve the flag.
The flag is the admin’s password.
You can use test:test.

Resolution

There’s a basic login page with two fields, one for the user name and the other for the password.

When we log in with the password test, we land on a page with the message “You are the test user.” and a link to log out.

Nothing special here, so we will try and log in as admin with a classic SQL injection.

Assuming that SQL authentication request looks like this

SELECT login, password FROM users WHERE login='$login' AND password='$password'

Just sending “admin'--” in $login will identify ourselves as admin, without being prompted for password.

We are clearly identified as admin, but a message is added telling us that the flag is the admin’s password.

Let’s review our SQL query to replace the user name displayed after being logged with the password of the admin using an UNION injection :

' UNION SELECT password,password FROM user WHERE user='admin'--

It will executes:

SELECT login, password FROM users WHERE login='' UNION SELECT password,password FROM user WHERE user='admin'--' AND password='$password'

As the empty login “” does not exist, it is the result of our SELECT request that has been successfully executed.
The second part of the query is used to show the password instead of the user name.

Perfect !

Flag is : MMA{cats_alice_band}

Leave a Reply

Your email address will not be published.