HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #42
From team h4ck!nb3rg
New advisory by : churchy
Affected service(s): ultrashare
Severity [lmh] : medium
Hello again fellow hackers and those who (like we) desperately try to get some services running,
===== Problem =====
The application ultrashare allows users to up and download files. When logged in, a user can change his or her password. This functionality is prone to SQL injection and allows for example to change a password without knowledge of the old pwd. As a short
roof of concept, just click to change your password and enter a single tick in all three fields. Your password will then be changed to this character.
Also the login can be bypassed when a username is known but the password is not. Just use the username and enter a single tick as login credentials.
===== Impact =====
Beside logging in and changing the password it is possible to alter the SQL statement and for example read flags out of it (not shown here for our internal flag gathering reasons :-)
===== Fix =====
Edit the file db.rb and escape the parameters in the function login(user,password). Escape the parameters for example using the gsub function like:
password.gsub("'","\n")
We congratulate openTU for their great analysis of our internal bot process operations :)
Rating
[0] It's not a SQL Injection. Fix isn't working