This already marks the fifth challenge of the CTF calendar. The goal in this challenge was to bypass authentication to obtain the flag. Let’s get to it.
Navigating to the URL, we are presented with the login form pictured below. The thing that immediately catches my eye is “Administrator login”, this is a very strong indication that users with admin privileges are supposed to log in here. The next thing I notice is “A classic, with a twist”, out of experience I know that SQLi is a very old technique used to bypass authentication.
There are many types of different SQL Injections, what I usually always try is to pass a single quote to the form fields to see if it triggers a response from the back-end. In SQL the single quote character marks the end of a query, so if the database allows unsanitized user input we can just append malicious code after the initial query. After passing a single quote to the username field, I’m presented with the error pictured below.
This error is an indication of Error-Based SQL Injection, if this error message wouldn’t have showed up we would have to try other methods to identify the vulnerability here. Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, Error-Based SQL Injection alone is enough for an attacker to enumerate an entire database. Having this, and the “Administrator login” in mind we use some standard SQLi techniques to try and bypass the authentication. After trying a couple of payloads we get in with the payload pictured below.
First, let me quickly explain what’s happening here. My guess is that the back-end checks if the username admin exists, then because we insert a single quote character, we append or 1=1. Because of the OR 1=1 statement, the WHERE clause returns the first id from the users table no matter what the username and password are. The first user id in a database is often the administrator. This way, we not only bypasses authentication but also gain administrator privileges.
A couple of takeaways from this challenge: First of all, never allow any unsanitized user input to communicate with the back-end. Second of all, while error messages may come in handy during development of a web page, make sure to not include them in production systems.
