This is the third in the series of Irish-Name-Repo challenges (Irish-Name-Repo 1, Irish-Name-Repo 2). Solving this challenge and inspecting the source of the login.html page:
Admin LoginPage Source
As we can see, there is a debug parameter that is sent with a default value of 0 in the POST request to login.php. By setting it to 1, I discovered that it was possible to view the executed query:
Debug True
As we can see in this case, we have the query SELECT * FROM admin where password = '' because I sent the password parameter empty. By trying to send the payload password=' OR 1=1 --, I get:
First InjectionROT Query
As we can see, in this case, we have the query SELECT * FROM admin where password = '' because I sent the password parameter empty. By trying to send the payload password=' OR 1=1 --, I get:
1
SELECT*FROMadminwherepassword=''OR1=1-- '
So, I thought there might be some kind of filter applied, or encryption. Let’s move on to the exploitation phase.
🔬 Vulnerability Analysis
Potential Vulnerabilities
SQL Injection
🎯 Solution Path
Exploitation Steps
Initial setup
First of all, we need to understand what kind of encoding is being applied to the text. Searching for cipher identifiers, I found the following: https://www.dcode.fr/cipher-identifier. Trying to input BE 1=1 -- ' (the encoded text since it is the only part that differs from the original query), I couldn’t get anything.
Cipher Identifier Warning
I received a _Warning_ The text has a **short length**, this can affect the quantity and reliability of the results. So I increased the length of the payload, for example, by sending Hi I'm mH4ck3r0n3 and I'm solving Irish-Name-Repo 3, and I got:
So the encrypted text is: Uv V'z zU4px3e0a3 naq V'z fbyivat Vevfu-Anzr-Ercb 3. Trying to analyze this:
Cipher Identifier
I get as the first possible algorithm ROT13. So, I try to decode the encrypted text using CyberChef with the ROT13 filter:
CyberChef ROT13
As we can see, it has returned to the plain text previously sent as the payload: Hi I'm mH4ck3r0n3 and I'm solving Irish-Name-Repo 3. So it is a ROT13 Encode. Now that we know what type of algorithm is encoding our payload, let’s proceed to the exploitation phase.
Exploitation
The exploitation phase is very simple since by sending the payload ' OR 1=1 --, the result is always True, because the final query becomes:
1
SELECT*FROMadminwherepassword=''OR1=1-- '
We will be able to access the admin page where the flag is contained. However, since a ROT13 Encode is applied to the payload, we can directly send a ROT13 Encoded payload, so that the ROT13 text is converted to plain text, resulting in the final query as previously seen. This can be done using CyberChef with the ROT13 filter:
CyberChef Payload
As we can see, we need to send the ROT13 payload: ' BE 1=1 -- . By doing so, we will be able to obtain the flag. (Another way to solve it was by directly sending the ' OR 1=1 -- payload in plain text, extracting the encoded text by setting the debug value to 1, copying the encoded text, and sending it as a payload).
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automatic exploit uses the codecs library to encode the payload in ROT13, then sends the request and extracts the flag from the response using a regex.
When we have a challenge that encrypts text and the algorithm is “bijective” or “reversible”, we can directly use the encrypted text provided by the challenge without wasting time figuring out which cipher was used for the encoding.
