Tags: sqli github
Rating:
**Description**
> Howdy mate! Just login and hand out the flag, aye! You can find on [h18johndoe](https://github.com/h18johndoe/user_repository/blob/master/user_repo.rb) has all you need!
>
> `http://yo-know-john-dow.ctf.hackover.de:4567/login`
>
> alternative: `46.101.157.142:4567/login`
**No files provided**
**Solution**
We get a simple login screen, but no way to register:
First we need a username. `h18johndoe` from the description doesn't work. Well, we can have a look at the link from the description, which seems to show the source code for back end of this website:
```ruby
class UserRepo
def initialize(database)
@database = database
@users = database[:users]
end
def login(identification, password)
hashed_input_password = hash(password)
query = "select id, phone, email from users where email = '#{identification}' and password_digest = '#{hashed_input_password}' limit 1"
puts "SQL executing: '#{query}'"
@database[query].first if user_exists?(identification)
end
def user_exists?(identification)
!get_user_by_identification(identification).nil?
end
private
def get_user_by_identification(identification)
@users.where(phone: identification).or(email: identification).first
end
def hash(password)
password.reverse
end
end
```
The `login` method has a clear SQL injection, since the password "hashing" just reverses the input we give it, without any sanitising. Before `login` is called however, we need to pass the `user_exists?` check, which seems to use prepared statements. So we still need an existing e-mail.
The file above has commits from two users, `h18johndoe` and `john1234`. GitHub doesn't seem to show e-mail addresses of users, but if we clone the repo and check the commit log, we can see the e-mails:
```
$ git log
commit b26aed283d56c65845b02957a11d90bc091ac35a
Author: John Doe <[email protected]>
Date: Tue Oct 2 23:55:57 2018 +0200
Add login method
commit 5383fb4179f1aec972c5f2cc956a0fee07af353a
Author: John Doe <[email protected]>
Date: Tue Oct 2 23:04:13 2018 +0200
Add methods
commit 2d3e1dc0c5712efd9a0c7a13d2f0a8faaf51153c
Author: John Doe <[email protected]>
Date: Tue Oct 2 23:02:26 2018 +0200
Add dependency injection for database
commit 3ec70acbf846037458c93e8d0cb79a6daac98515
Author: John Doe <[email protected]>
Date: Tue Oct 2 23:01:30 2018 +0200
Add user repo class and file
```
And the last one (earliest commit chronologically) is actually the correct e-mail address: `[email protected]`. After entering this e-mail we get asked for the password, and this is where we can do the SQL injection, since we don't know the user's password.
We only need to login, so we can do an extremely simple injection:
input: 'or''=='
reverse: '==''ro'
full query after injection and re-reverse:
select id, phone, email from users where email = '[email protected]'
and password_digest = ''or '' == '' limit 1
`hackover18{I_KN0W_H4W_70_STALK_2018}`
