CTFtime.org

products manager

by aaditya_purani / UTC

Rating:

# Products Manager

100 Points - 431 Solves

```
Come play with our products manager application!

http://challenges.fbctf.com:8087
```

## Solution:

I downloaded the source code, and took a look into an interesting function `validate_secret` in `add.php`.

```php
function validate_secret($secret) {
if (strlen($secret) < 10) {
return false;
}
$has_lowercase = false;
$has_uppercase = false;
$has_number = false;
foreach (str_split($secret) as $ch) {
if (ctype_lower($ch)) {
$has_lowercase = true;
} else if (ctype_upper($ch)) {
$has_uppercase = true;
} else if (is_numeric($ch)) {
$has_number = true;
}
}
return $has_lowercase && $has_uppercase && $has_number;
}
```

The secret shall be more than 10 bytes, and must have lowercase, uppercase and a number. Apart from that, there are multiple SQL queries - But they are santized properly by using prepared statements. A usual query looks like this

```php
check_errors($statement);
$statement->bind_param("s", $name);
check_errors($statement->execute());
$res = $statement->get_result();
```

Although, prepared statements are known to be exploited if a variable name is passed directly into the query rather than `?`. There are instances of previous CTFs with such vulnerability type before. But it was not the case here.

Looking more into other files, there is a comment section which lets us know what to read

```
/*
INSERT INTO products VALUES('facebook', sha256(....), 'FLAG_HERE');
INSERT INTO products VALUES('messenger', sha256(....), ....);
INSERT INTO products VALUES('instagram', sha256(....), ....);
INSERT INTO products VALUES('whatsapp', sha256(....), ....);
INSERT INTO products VALUES('oculus-rift', sha256(....), ....);
*/
```

The vulnerability here in the duplication validation. Hence, the idea is to pass `facebook` with some spaces appended to it such as resulting in a truncation attack. I have done a research on such attacks around 2014 which you can find in my blogpost as [well](https://aadityapurani.com/2015/09/11/column-truncation-sql-injection/) for more depth into the subject.

`facebook ` and we choose secret for instance `knapKNAP1234` which satisfies the `validate_secret` check and description which whatever you may want to put and finally we can hover to `/view.php` and put the `facebook` and the secret we choose before and we get

##### Flag: fb{4774ck1n9_5q1_w17h0u7_1nj3c710n_15_4m421n9_:)}

Original writeup (https://github.com/utcoalition/Public-CTF-Writeups/tree/master/fbctf-2019/productsmanager).

Comments