PurpleSky - Software Gamer's Playground

Challenge Solution      Challenge 7 is quite similar to Challenge 6, but there is no SQLi in Security Question.      I really don't think people could pass challenge this without cheating.      There are a lot of flowers in the world & the answer for root user is " Franklin Tree " which is not a common flower...      However, I think what people should learn here is to make sure your security question should be good enough!     For example, if the question here is "What is your favorite brand of mobile phone?" An attacker could definitely enumerate all the major brands in the world and use tool to try them all. (Ex: BurpSuite -> Intruder to import a list of brands.)     In addition, if in the question setting panel, the application prepares few answer for user to select, then the scenario will be even easier. (Ex: "What is your favorite brand of mobile phone?" -> Select the following "Apple", "HTC", "

Challenge Solution       First, try admin / admin -> There is no a user named as admin!     Try root / root -> User root exists! His/Her email address is  elitehacker@shepherd.com .      Click Have you forgotten your password? link and input the root user's email ->     We don't know the Security Question answers...     Input apostrophe(') or quote(") to see if there exists a SQLi -> There is a SQLi in email address field when using quote (")!      Input  " UNION Select database();# ->  BrokenAuthAndSessMangChalSix      Input  " UNION Select table_name FROM information_schema.tables WHERE table_schema = "BrokenAuthAndSessMangChalSix ->  Invalid Data Submitted: Invalid Email Address!      We notice that if the input is too long, then there will be a Invalid Data warning.      Input  " UNION Select username from secret;# ->  com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: SELECT co

Challenge Solution     First, login with admin / admin to see what will happens? -> Incorrect password for admin . We know the admin account do exists, but we don't know the password.      Let's try to click the Forgotten Password? button. Input admin as User Name ->  URL with embedded password reset token has been sent to 'admin' via email .       We don't have the email of admin user. Let's see the packet in BurpSuite. Request packet: Response packet:     Nothing special...     Let's check the source code scripts : //Change Password Form (Requires Valid Token) //Token life is 10 mins $("#leForm3").submit(function(){ var theUserName = $("#subUserName").val(); var theNewPassword = $("#subNewPass").val(); var theToken = $("#updatePasswordToken").val(); $("#resetSubmit").hide("fast"); $("#resetLoadingSign").show("slow"); $("#resultsDi

Challenge Solution     The challenge ask us to login us administrator. As a first step, let's try admin /  'or'a'>'a';-- - in UserName / Password field -> No luck at this time.      After trying qoute (") and other payload I know, it seems that the application is not vulnerable.      Let's step back to think of the query itself, let's guess the query is [ SELECT * FROM users WHERE username=' UserName(our_input) ' AND password=' Password (our_input) ' ].      What if we use backslash (\) to escape the ending apostrophe (') for username to make the query become =>  [ WHERE username= '   \'   (the ending apos become normal char)  AND password= '   or 1=1 ;-- - ' ]      Cool! We have some progress now!      What we need to do next is to find a way to select administrator . Before extracting administrator, let's see why our ' or 1=1;-- - payload not works. Input admin' or 1=1\ to t