Who is 'Sandra Murphy'?

Sandra Murphy

[deleted user]
10 years ago

0

Hi All,

Everyone who completed this level. Please provide your hints over here.

42replies
15voices
639views
Keeper
10 years ago

1

You’ve opened a thread for each one of the new challenges.. As for a hint - LDAP is the only acronym that can help you the best.

*********** [ADIGA]
10 years ago

0

oh shit, now i need to do some more reading to finish this one :(
did some reading on LDAP before, basic stuff but no exploitation though.

[deleted user]
10 years ago

0

I don’t think this level has anything to do with LDAP injection. I’ve tried like 30 injections but still unable to get through.

Keeper
10 years ago

0

[quote=author]I’ve tried like 30 injections but still unable to get through.[/quote]

and that is valid ramification that LDAP is not involved.. Just because you fail doesn’t mean it includes others as well.

0xDC
10 years ago

0

We need to find a way to break the syntax and get error messages….. no luck though, it might be blind LDAP injection…..

Keeper
10 years ago

0

If it’s implementing LDAP, it’s certainly blind-based. Thing is there might not be any triggering of errors at all. If flabby used a regex and validates a single unique query then things are screwed up. I doubt that’s the case but still foods for thought.

0xDC
10 years ago

0

My guess is to guess the real name variable (assuming it’s LDAP injection). I’ve tried realname, real_name and real-name. No luck!

CygnusH33L
10 years ago

0

I tried the same DC with no luck, I tried other alternatives too. This one is quite challenging :/ I should be working too lol

Keeper
10 years ago

0

I should advise all that are attempting it not to overthink it too much. In most cases it is something not so hard but rather one that requires more imagination.

*********** [ADIGA]
10 years ago

0

To tell the truth my first though about this level was xpath exploit/ xml login…
did try few things on that, got a different error msg (something like: syntax error or invalid query).
tried few with LDAP yet with no result.

will try some more when im done reading with LDAP.

[deleted user]
10 years ago | edited 10 years ago

0

Don’t try these cause I’ve already tried it and few more which are not mentioned over here.

[spoiler]user=)(uid=))(|(uid=
user=
)(|(password=))
smurphy)(|(password=
))
sandram)(|(password=))
smurphy)(uid=smurphy)(|(uid=smurphy
sandramurphy)(uid=sandramurphy)(|(uid=sandramurphy
sandram)(uid=sandram)(|(uid=sandram
sandra_murphy)(uid=sandra_murphy)(|(uid=sandra_murphy
sandy)(uid=sandy)(|(uid=sandy
)(uid=)(|(uid=
murphy)(uid=murphy)(|(uid=murphy
sandra)(uid=sandra)(|(uid=sandra
user)(uid=)
user)(uid=))(|(uid=
samurphy)(uid=samurphy)(|(uid=samurphy
sanmurphy)(uid=sanmurphy)(|(uid=sanmurphy
(&(user=
)(pass=))
(&(user=
)(&))(pass=))
user=
)(cn=))%00&pass=whatever
user=san
)(cn=san))(|(cn=san
user=mur)(cn=mur))(|(cn=mur
user=s
)(cn=s))(|(cn=s

0xDC
10 years ago | edited 10 years ago

0

I’m more thinking along the lines of *)(realname=Sandra Murphy - but that didn’t work for me. Shouldn’t we guess the ‘realname’ parameter in the LDAP?

Pete Maynard [Osaka]
10 years ago | edited 10 years ago

0

Off-topic - The spoiler tag still exists you just have to manually type it as the wiziwig forgot about it, and you can only open it not close, these have been noted.

>> Meow

[deleted user]
10 years ago

0

If the real name is Sandra Murphy then the display name would be the same I guess. But login IDs cannot use spaces I believe so the username should be something like sandram or smurphy or something. But its not possible to guess the username it could be anything. In my office the LDAP uses altogether a different ID which is no where related to my name. And I have even tried the * but its not working. Need to do some more digging I guess in LDAP.

Keeper
10 years ago

-1

It’d be enough if flabby drops even a single word or acronym related to the challenge since it could not be LDAP.

*********** [ADIGA]
10 years ago | edited 10 years ago

1

going back to xpath, that was the only method i was able to produce another error

Reply has been removed
J [ColdIV]
10 years ago | edited 10 years ago

0

Thank you very much @ADIGA ;)

Edit: Added spoiler tags.

Zhen [ZeroFreak]
10 years ago

0

Solved it. You need to think of it from a programmer’s perspective.

[deleted user]
10 years ago

0

Wooa, I am not a programmer not even remotely. Guess I’ll have to do some more researching.

Zhen [ZeroFreak]
10 years ago

0

Not much research is needed. Infact

https://www.owasp.org/index.php/XPATH_Injection

was able to help me. When I said programmer’s persepective, you need to understand how everything works in the code. =)

Luke [flabbyrabbit]
10 years ago

0

A hint has been added to the level. I need to double check its accuracy as I wrote it from memory but it will certainly nudge people in the right direction.

*********** [ADIGA]
10 years ago

0

hahaha, after 40 attempts still no answer ….
treated it as an xpath injection, did some inputs that would return true for the username and would return true as real name of sandra… still no luck … this must be a very specific input for it to be accepted :(

tried with both single quote and dbl quote ….

im glad im almost balled or i would have pulled my hair out ..

???Roun512 [roun512]
10 years ago

0

why every query i try is able to login to another user and what ever i change it still the same user not Sandra Murphy ? can someone help me out in this ?

[deleted user]
10 years ago

0

Hey roun512,

Please post the query that you are using.

???Roun512 [roun512]
10 years ago

0

Hey tlotr , it’s not allowed since it’s near to answer :)

[deleted user]
10 years ago

0

Hey roun512,

Not the complete but at least the end part perhaps.

kamzhik
10 years ago

0

Solved it! The site mentioned by ZeroFreak is actually helpful.

*********** [ADIGA]
10 years ago

0

hehe solved it, used my same other input but in 1 field not 2

Keeper
10 years ago

0

IMO, it’s not practical since you cannot stumble upon the example given in the challenge. But on the hand, at least people are urged to some researching and will learn something new alongside trying to complete the challenge.

[deleted user]
10 years ago

0

I’ve finally solved it…………………………… Now I can Rest In Peace

*********** [ADIGA]
10 years ago

0

Keeper, the answer is found in google in the first 3 results when you search for the right thing … only minor change to the code in it needs to be made, and with falbby’s hint… its bulls eye for anyone who knows only a bit about programing logic.

Keeper
10 years ago

0

The simplicity has nothing to do with it. And this “minor change” is a major one from the point of logic as you say.

[deleted user]
10 years ago | edited 10 years ago

0

ColdIV was so right. Why didn’t I think about it before. Why was I thinking so much that I ruled out the obvious. The answer was in front of me this whole time now that I see once I have completed it. Now a small change to the code and thats it you are done with the level.

CygnusH33L
10 years ago

0

I can’t believe it!, I must have tried the correct thing a load of times :@ just in the wrong place lol never mind finally done :D

0xDC
10 years ago

0

@CygnusH33L: Congrats! :)

Frozen_Sword
10 years ago

0

So, I’ve been able to get a different kind of error, but I don’t know how to log in as the specific user. How can you specify “Sandra Murphy” as the realname?

*********** [ADIGA]
10 years ago

0

its somewhat simple
lets take an example of an sql database
it has 3 fields
username password realname
the login script may work with the query “select * from users where usernam=‘username’ and password=‘password’”
in case of an sql injection, you can change almost the whole query, as you do not have to use 1=1–…
the answer for this level is almost the same, find the bug type and try changing what it does (query) to include the real name field with the name you want to login with.

wence
10 years ago

0

all you need is a paper and a pencil :)

[deleted user]
10 years ago

0

However it’s more easy with a computer ^^

wence
10 years ago

0

dude follow anything (i don’t care)

wence
10 years ago

0

caps are crazy !

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

@tlotr: You should close this thread because it’s getting loo long. Anyone who has question can create their own thread.

Discussion thread has been locked. You can no longer add new posts. Unlock
1 of 43

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss