This is my solution to the TG20 Hack Web Challenge “Bobby”.
I’ll admit, I had a bit of a steer from my team mate on this one – I understood the basics but was having difficulty figuring out the underlying SQL statement.
Once I’d been pointed in the right direction, after a lot of trial and error and reading up on SQL syntax, I got there.
I was more used to the concept of extracting data using an injection; amending data was somewhat new to me, so this proved a great learning point.
The challenge begins with a login page containing username/login fields, and nothing remarkable about the html.
I attempted injecting both fields with a ‘ to see what would happen. Both appeared to be sanitised.
However, there was a “change password” link. Maybe we could do something there?
We are now presented with 3 fields: username, old password, and new password.
Entering a ‘ in each field in turn returns “Failed to change password” for the first two but throws an error for the “new password field”
So now we know that “New Password” is injectable, and “WHERE user=? AND pass=?” forms part of the underlying SQL statement.
I got a bit of steer here from a team mate in relation to SQL and how it might be used to change a password.
The basic syntax might look something like:
update users set password=’new_password’ where user=’user’ and password=’old_password’
I figured therefore that something like this might work if entered into the new password field:
bobbynew’ where user = ‘bobby’ —
I thought this would change the password to bobbynew for user bobby (a guess at bobby’s username) and comment out the rest of the line.
However, it threw an error:
After a bit of research into “parameterised inputs” I began to understand that the underlying statement required two parameters, and would fail unless they were supplied.
From previous attempt, it was clear that the parameters required were user=? and pass=?
Also, instead of guessing Bobby’s username, perhaps I could simply set my own?
After a lot of trial and error, I finally got to the following injection:
bobbynew’, user=’bobby’ where user=? and pass=? or 1=1 —
Here, we set the new password to bobbynew, while also creating a user called bobby if none existed previously; the two required parameters are then supplied with an always true statement. Don’t forget to add a trailing space!
Success! Password changed!
We now navigate back to the login page and enter our created credentials bobby:bobbynew to retrieve the flag: