swisskyrepo
/
swisskyrepo.github.io
mirror of https://github.com/swisskyrepo/swisskyrepo.github.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MD Auth - link update

pull/1/head
Swissky 2018-12-24 13:40:51 +01:00
parent 99e81e5796
commit 9cc21a25f8
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
_posts/2018-12-23-SIGSEGV-MD_AUTH.md
View File

@ -3,10 +3,10 @@ layout: post
title: SIGSEGV1 Writeup - MD Auth
---
Let's talk about the "MD Auth" challenge, I admit I started with this challenge thinking it would be about "Markdown"/
Let's talk about the "MD Auth" challenge, I admit I started with this challenge thinking it would be about "Markdown".
I was wrong but it was nonetheless interesting to solve.
The source code of the index was available by requesting : http://finale-docker.rtfm.re:4444/?source
The source code of the index was available by requesting : [http://finale-docker.rtfm.re:4444/?source](http://finale-docker.rtfm.re:4444/?source)
{% highlight php%}
<?php
@ -35,7 +35,7 @@ if(isset($_POST['login'], $_POST['password'])) {
}
{% endhighlight %}
At first I tried to access the database with my browser by requesting finale-docker.rtfm.re:4444/mdauth.db, unfortunately that didn't work. Let's dig deeper into the source code. We want to authenticate on the Web Application, maybe we can do an SQL injection inside the following query.
At first I tried to access the database with my browser by requesting [finale-docker.rtfm.re:4444/mdauth.db](finale-docker.rtfm.re:4444/mdauth.db), unfortunately that didn't work. Let's dig deeper into the source code. We want to authenticate on the Web Application, maybe we can do an SQL injection inside the following query.
{% highlight sql%}
SELECT login FROM users WHERE hash='{$hash}' and login='{$login}'