I ended up writing a program to do a binary search on each character of the password. Was really kinda fun Just goes to show you what is possible even without any error messages and a little bit of guess work.
I think a binary search is the right way to do this. What did you use for feedback? The idea was to not give any visible feedback on success, failure, or unparsability of the query. I think there ended up being a few holes though.
Basically I made the sql query that was being constructed search for a bogus username, then tacked on a union select which always gave the result 'test' and conditionalized it with a WHERE and a sub query which grabbed the password for root, stripped out a particular character and tested to see if it was below a particular number.
If it failed that test, my union select failed and returned no results which meant i got a error, otherwise I got the result 'test' which matched the query and got a 'logged in' result.
I simply used the response time as feedback for my binary search.
The SLEEP() function is very useful for this.
BENCHMARK() could also be used but this function is not allowed here.
I tried using binary search something wierd happened and I got "uifmvwuibucvsot". So I ended up doing it by hand. On the last one I did "binary" search by hand (but not really binary, more like 10's). So I used LIKE '% %' to figure out all the characters that were in it (thankfully all lowercase!) then I used it to start from 1 and expand.
Example:
root' AND password LIKE 'th%' UNION SELECT '1
And 1 as the password.
i did like the others with manual binary search using ASCII(), LENGTH(), SUBSTR() and lot of count(*). i also used yes/no questions on the information_schema table to retrieve the right table and schema
i wonder if there is some good tool to automate all this yes/no stuff?
anyway, nice challenge!
Learn the rules if you want to break them effectively. Dalai Lama XV
I had exactly the same idea as Roogley. Since all three challenges are on the same database server, you can simply retrieve the password from one of the former challenges. sqlmap makes that ridiculously easy.
sqlmap reveald vulnerability for time based injection.
used following string for the user field:
root' and if((select mid(password,16,1) from user limit 0,1)='z',sleep(10),1) AND 'kzQg'='kzqg’
--------------------------------------------------------------------x------x
and a script to loop through the alphabet and the positions of the password
gandhi wrote:sqlmap reveald vulnerability for time based injection.
used following string for the user field:
root' and if((select mid(password,16,1) from user limit 0,1)='z',sleep(10),1) AND 'kzQg'='kzqg’
--------------------------------------------------------------------x------x
and a script to loop through the alphabet and the positions of the password
i let sqlmap do the rest, too ... was very interesting to see, how powerful sqlmap is.
Very nice challenge since I never knew about time based attacks. I used sqlmap to help me confirm my suspicions about sleep() and I found a nice article (http://www.rafayhackingarticles.net/201 ... based.html) explaining how to exploit it
Edit: now I see that I could have done this easily with the dump option in sqlmap, but it was good to understand how it works rather than just by magic
