Who is 'Sandra Murphy'?

You’ve opened a thread for each one of the new challenges.. As for a hint - LDAP is the only acronym that can help you the best.

oh shit, now i need to do some more reading to finish this one :(
did some reading on LDAP before, basic stuff but no exploitation though.

I don’t think this level has anything to do with LDAP injection. I’ve tried like 30 injections but still unable to get through.

[quote=author]I’ve tried like 30 injections but still unable to get through.[/quote]

and that is valid ramification that LDAP is not involved.. Just because you fail doesn’t mean it includes others as well.

We need to find a way to break the syntax and get error messages….. no luck though, it might be blind LDAP injection…..

If it’s implementing LDAP, it’s certainly blind-based. Thing is there might not be any triggering of errors at all. If flabby used a regex and validates a single unique query then things are screwed up. I doubt that’s the case but still foods for thought.

My guess is to guess the real name variable (assuming it’s LDAP injection). I’ve tried realname, real_name and real-name. No luck!

I tried the same DC with no luck, I tried other alternatives too. This one is quite challenging :/ I should be working too lol

I should advise all that are attempting it not to overthink it too much. In most cases it is something not so hard but rather one that requires more imagination.

To tell the truth my first though about this level was xpath exploit/ xml login…
did try few things on that, got a different error msg (something like: syntax error or invalid query).
tried few with LDAP yet with no result.

will try some more when im done reading with LDAP.

Don’t try these cause I’ve already tried it and few more which are not mentioned over here.

[spoiler]user=)(uid=))(|(uid=
user=)(|(password=))
smurphy)(|(password=))
sandram)(|(password=))
smurphy)(uid=smurphy)(|(uid=smurphy
sandramurphy)(uid=sandramurphy)(|(uid=sandramurphy
sandram)(uid=sandram)(|(uid=sandram
sandra_murphy)(uid=sandra_murphy)(|(uid=sandra_murphy
sandy)(uid=sandy)(|(uid=sandy
)(uid=)(|(uid=
murphy)(uid=murphy)(|(uid=murphy
sandra)(uid=sandra)(|(uid=sandra
user)(uid=)
user)(uid=))(|(uid=
samurphy)(uid=samurphy)(|(uid=samurphy
sanmurphy)(uid=sanmurphy)(|(uid=sanmurphy
(&(user=)(pass=))
(&(user=)(&))(pass=))
user=)(cn=))%00&pass=whatever
user=san)(cn=san))(|(cn=san
user=mur)(cn=mur))(|(cn=mur
user=s)(cn=s))(|(cn=s

I’m more thinking along the lines of *)(realname=Sandra Murphy - but that didn’t work for me. Shouldn’t we guess the ‘realname’ parameter in the LDAP?

Off-topic - The spoiler tag still exists you just have to manually type it as the wiziwig forgot about it, and you can only open it not close, these have been noted.

>> Meow

If the real name is Sandra Murphy then the display name would be the same I guess. But login IDs cannot use spaces I believe so the username should be something like sandram or smurphy or something. But its not possible to guess the username it could be anything. In my office the LDAP uses altogether a different ID which is no where related to my name. And I have even tried the * but its not working. Need to do some more digging I guess in LDAP.

It’d be enough if flabby drops even a single word or acronym related to the challenge since it could not be LDAP.

going back to xpath, that was the only method i was able to produce another error

Thank you very much @ADIGA ;)

Edit: Added spoiler tags.

Solved it. You need to think of it from a programmer’s perspective.

Wooa, I am not a programmer not even remotely. Guess I’ll have to do some more researching.

Not much research is needed. Infact

https://www.owasp.org/index.php/XPATH_Injection

was able to help me. When I said programmer’s persepective, you need to understand how everything works in the code. =)

A hint has been added to the level. I need to double check its accuracy as I wrote it from memory but it will certainly nudge people in the right direction.

hahaha, after 40 attempts still no answer ….
treated it as an xpath injection, did some inputs that would return true for the username and would return true as real name of sandra… still no luck … this must be a very specific input for it to be accepted :(

tried with both single quote and dbl quote ….

im glad im almost balled or i would have pulled my hair out ..

why every query i try is able to login to another user and what ever i change it still the same user not Sandra Murphy ? can someone help me out in this ?

Hey roun512,

Please post the query that you are using.

Hey tlotr , it’s not allowed since it’s near to answer :)

Hey roun512,

Not the complete but at least the end part perhaps.

Solved it! The site mentioned by ZeroFreak is actually helpful.

hehe solved it, used my same other input but in 1 field not 2

IMO, it’s not practical since you cannot stumble upon the example given in the challenge. But on the hand, at least people are urged to some researching and will learn something new alongside trying to complete the challenge.

I’ve finally solved it…………………………… Now I can Rest In Peace

Keeper, the answer is found in google in the first 3 results when you search for the right thing … only minor change to the code in it needs to be made, and with falbby’s hint… its bulls eye for anyone who knows only a bit about programing logic.

The simplicity has nothing to do with it. And this “minor change” is a major one from the point of logic as you say.

ColdIV was so right. Why didn’t I think about it before. Why was I thinking so much that I ruled out the obvious. The answer was in front of me this whole time now that I see once I have completed it. Now a small change to the code and thats it you are done with the level.

I can’t believe it!, I must have tried the correct thing a load of times :@ just in the wrong place lol never mind finally done :D

@CygnusH33L: Congrats! :)

So, I’ve been able to get a different kind of error, but I don’t know how to log in as the specific user. How can you specify “Sandra Murphy” as the realname?

its somewhat simple
lets take an example of an sql database
it has 3 fields
username password realname
the login script may work with the query “select * from users where usernam=‘username’ and password=‘password’”
in case of an sql injection, you can change almost the whole query, as you do not have to use 1=1–…
the answer for this level is almost the same, find the bug type and try changing what it does (query) to include the real name field with the name you want to login with.

all you need is a paper and a pencil :)

However it’s more easy with a computer ^^

dude follow anything (i don’t care)

caps are crazy !

@tlotr: You should close this thread because it’s getting loo long. Anyone who has question can create their own thread.