dexter@aeron7.com

Sql Injection & Hash Decrypting (Advanced)

Step 0: Collecting Information

Directory structure

First of all we try to get as much information as we can, starting with the navigation:

C:\Program Files\Apache Group\Apache2\ENRP\

|__ index.php

|__ news.php

|__ action=news.php

|__ method=GET

|__ param=month [all, September, …]

|__ debates.php

|__ members.php

|__ newsletter.php

|__ mailinglist.php

|__ action=addmail.php

|__ method=POST

|__ field=email

|__ speeches.php

|__ action=speeches2.php

|__ method=POST

|__ field=speech [1]

|__ press.php

|__ action=readpress.php

|__ method=POST

|__ field=release [1, 2, 3]

|__ economy.php

|__ speeches/

|__ passwords/

We know the root path from an error that we get by calling readpress.php page without parameter. In addition, this error tells us that there is also a second directory structure as follows:

C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes\

|__ special.php

|__ �ooter.php

|__ arrange.php

Database model

 

From the same error and also by calling news.php file witout parameter, we learn these information from the database model:

newsTable
Field Format
post
date
month VARCHAR
press_table
Field Format
 ?  ?


Errors

news.php without parameter produces following error:

MySQL Error Reported: row “january” does not exist

Error in query: “SELECT post, date FROM newsTable WHERE month =”January”

readpress.php without parameter produces following error:

MySQL Error: “” row does not exist in table “press_table”;

Warning: Unexpected character in input: ‘\’ (ASCII=92) state=1 in C:\Program Files\Apache Group\Apache2\ENRP\readpress.php on line 33

Error in query:

error_reporting(E_ALL);

$service_port = “80”;

$address = “localhost”;

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);

$in = “GET /speeches/passwords/” . md5(‘Speeches’) . “”;

$in .= “REFERER: http://ENRP/get_speeches_passwords_referer\n”;

$in .= “\n\n”;

$out = ;

socket_write($socket, $in, strlen($in));

echo “OK.\n”;

include(\”C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes\special.php\”);

include(\”C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes�ooter.php\”);

include(\”C:\Program Files\Apache Group\Apache2\htdocs\ENRP\includes\arrange.php\”);

?>

Step 1: Find an access

Find account

The second error gives us a directory structure:

GET /speeches/passwords/” . md5(‘Speeches’)

As we can see, there is a sub directory inside /speeches/passwords/, encrypted with MD5. Using e.g. Python, we get the MD5 hash of the string “Speeches”:

$ python

>>> import hashlib

>>> hashlib.md5(‘Speeches’).hexdigest()

‘7e40c181f9221f9c613adf8bb8136ea8’

Full URL becomes:

http://www.hackthissite.org/missions/realistic/13/speeches/passwords/7e40c181f9221f9c613adf8bb8136ea8/

We can see that the directory contains a file named passwords.fip. By clicking on it, we get two passwords, separated by colon.

7bc35830abab8fced52657d38ea048df:21232f297a57a5a743894a0e4a801fc3

Crack MD5 hashes

Following site has a huge database of MD5 hashes:

http://www.tmto.org/?category=main&page=search_md5

It helps us finding this username:password = moni1:admin .There are many softwares and online sites for cracking it.

Step 3: Log-in

The fake authentication form

The site is likely to have an administration access. It is often named “admin”, “adm”, “conf”, … Let’s try “admin”:

http://www.hackthissite.org/missions/realistic/13/admin/

By using our discovered credentials, we get an error:

“admin” does not match password for “moni1”1

The right authentication form

Let’s replace “admin” with its MD5 hash (21232f297a57a5a743894a0e4a801fc3)

http://www.hackthissite.org/missions/realistic/13/21232f297a57a5a743894a0e4a801fc3/

 

  • Username: moni1
  • Password: admin

And this time it should work. Access granted, mission completed!

 

 

About the Author

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

Related Posts

Basic Mission 1   I can call you a pretty dumb as per you are now viewing the walkthrough for...

Basic Mission 2   I can again call you a pretty dumb as per you are now again viewing the walk...

Basic Mission 3   Have a look at the source code of that page and have you noticed the form section?...

Leave a Reply