Stripe CTF 2.0 Level 3

August 28, 2012   


Here is a python level. They claim this one is more secure and it is a bit more but not really.

Hint Given

There really is no hint given other then in the code

Problem in the code

So take a look at line #86

query = """SELECT id, password_hash, salt FROM users
               WHERE username = '{0}' LIMIT 1""".format(username)
So that is taking a username and pulling out data to see if the user/password combo is correct. The main issue is they aren't checking for invalid input. Like putting in quotes for the username.


So we are going to attack this with a SQL injection attack. Since there isn’t any validating of data that is sent in via the username we can put SQL in the username to make it pull out data that we want. So we can do this with a UNION statement. Pretty much our attack will be to union data we provide so it overrides the data that is in the database. So first we have to create a salted password to use. So lets first up python and do something like this

import hashlib




So what we are doing is creating our own salted password to pass in via SQL injection to the app so it can compare with a password we send in via the form and a salt we are also injecting. So once we have that encrypted password and a known salt/password we will enter the following

As the username

‘ UNION SELECT id, ‘4c26991843b5498e99ef26e6cf45c4eecd9e6890436f619054aaa8790b35967c’ AS password_hash, ‘bob’ AS salt FROM users where username=’bob’;–

As the password


So that will take id,password_hash and salt and replace it in the code with what the database would return when select a user bob.

Now you have the next level’s password.

comments powered by Disqus