In today’s post, we’re going to be looking at the Damo Security Challenges, specifically Challenge VI. This page can be found here. Let’s head over to the page and get started.
Once at the page, we can see the familiar layout of a Member’s List, Member’s Only page, Hall of Fame, Login and Register. If we register and login, we are again presented with a message saying we can add a user to the Hall of Fame if we are an admin. Another thing to note, is if we log in, on the login page, there is a button for “remember me”.
If we have remember me turned on, we can look at the cookies that are saved on our side. There are two cookie values saved, one for username and one for password. We can also see the values for these cookies end in %3D, which is an equals sign. This gives us reason to believe it’s padding from base64 encoding. Thus, we can use a small php snippet to verify. Running <?php $str=’VALUE_OF_USERNAME_FROM_COOKIE’; echo base64_decode($str); ?> returns our username. Doing the same with the password returns our password. Thus, we can assume these are used on the server.
The first attack is to try and replace our username cookie with the value which would be expected if we were logged in as admin, so use a php snippet to get ‘admin’ base64_encoded <?php $str=’admin’; echo base64_encode($str);?> and put that into the username cookie and try to submit our name to the hall of fame. This doesn’t work, and we’re told we have to be admin.
The next attack is a little trickier and involves SQL Injection. First, let’s think about what happens when a name is submitted to the Hall of Fame. Since a username and password are supplied as well, we can assume the php script checks if there is at least one matching user for the username and password, and if the username is admin. If so, the submitted name is added to the Hall of Fame. So, if we can do SQL Injection and return at least one match, we should get added to the hall of fame. So, let’s think about the SQLi we want. The injection can be in the password and return true, thus the basic sqli works: ourpassword’ or ‘1’=’1 However, to get this into the sqli, we have to base64 encode it and submit it as our cookie value for the password. So again, php <?php $str = ‘something\’ or \’1\’=\’1′; echo base64_encode($str); ?>. Now we submit the previously calculated value for ‘admin’ as our username and this SQLi value as our password via cookies when we try to add a name to the hall of fame. If done correctly, our name gets added. 🙂 YAY!
So What?
SQL Injection, it’s not just for query strings. Injection vulns come from any place where users can provide input, regardless of if it is in a query string, a post body, a cookie value, an AJAX request, if it comes from the user’s computer, it can result in injection. Also, base64 isn’t encryption, it’s encoding, so anyone can do it and thus it doesn’t provide any safety in this context. If you want to put a cookie on a user’s computer, encrypt it with encryption with a private key such that the user cannot create a correctly encrypted string.