I found myself writing up a test for a Security Auditor in the company where I work; and by doing this I found a CTF challenge that I still can not solve.
If figured out it would be good to ask you guys to see what you think.
The link is https://2013.picoctf.com/problems/php3/
The description of the test says to pay attention to how the md5 function is used, specially the last parameter set to true.
The snippet reads:
$pass = md5($_POST[pass], True);
$query = @mysql_fetch_array(mysql_query("select user from php3 where (user='$user') and (pw='$pass')"));
And the md5() with true at the end means md5 will return the raw representation rather than the string representation:
If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16.
Having this into consideration, do you have any idea on what's the procedure to pass this test?
I guess it has something to do with the way MySQL will compare a string with a binary representation, ie something similar to Why md5('240610708') is equal to md5('QNKCDZO')? and related to the float comparison described in http://dev.mysql.com/doc/refman/5.7/en/type-conversion.html
mysql> SELECT '18015376320243458' = 18015376320243458;
-> 1
mysql> SELECT '18015376320243459' = 18015376320243459;
-> 0
Can you help me understand this challenge?
It's a simple SQL Injection, Try this as username:
admin') #
# will ignore the rest of the query(make it comment)
mysql> SELECT user from php3 where (user='admin') and (pw=0e55555555555555);
will return desired data.