http://www.appseceu.org/?page_id=175
Here is my solution:
In the first request, grab the Viewstate and decode it. Its basically Base64 with the linefeed 0d0a at the end.
Just submit. Do not change the userguess because there is a check that it must be 3 digits. You will get it right with 1 attempt.
Click continue and you can change the count to 0 and the viewstate to any number above 999.
This accomplish part 1 of the game.
Next, there is a form input, which allow you to search player. This is vulnerable to SQLinjection. It as a MySQL server and you do not even need to use commenting. Just inject:
' or 2=2 or '
and it completes the whole sql statement nicely. I dun use 1=1 because its, well too common.
With the big list, its just a matter of finding the WORSE possible guess. At first, I would think its the HIGHEST number of guess, which I am wrong because the way the answer choose is based on the SIGNED long int, so the negative score is HIGHEST. Weird. Basically its user "appseceu"
Or really if you just want to cheat, view those who hacked the db and all their names has appseceu there! :P X_X
Just back and resubmit the first request to make that record with the user appseceu and with a POSITIVE score (because its a requirement).
Anyway, have fun.
No comments:
Post a Comment