February 2008 Security Contest

Topic: SQL Injection

There are lots of insecure web applications floating around the web. Many of them are oblivious to the dangers of unsanitized user input being used in dynamically generated sql queries.

Your Challenge

The vulnerable login form is available for your hacking pleasure here on our contest server:

The insecure form

The source code for the insecure form is available here:

Source code of the insecure form

There are two different challenges in this contest:

Easy challenge: Can you get logged in as the user "admin"? (That is, can you get shown the "Welcome" message along with the user's "secret info" which is displayed after they login?)
Hard challenge: Can you get the unhashed password for the user "admin" so that you can login just as that user would? (That is, can you obtain enough information such that you can login without sql injection?)

What you win

Technically, nothing. I have no idea what the legal ramifications of contents with prizes are. However, the first UA student or faculty who wins the contest before a solution is announced may likely be the recipient of a personal gift in the form of a book on a security topic. (Actually, no book for faculty, but you'll get credit for winning.)

You also get your name mentioned as the winner of the contest, if you so desire.

General Contest Notes

Please respect the contest server. It's not a DoS contest. If your solution involves making multiple requests or connections to the server, please do them sequentially unless your solution requires them to be concurrent (in which case, please be kind).

Pretty much, if you know something wasn't intended and you know it may negatively impact the server, don't do it.

The contest is intended for University of Arizona students and faculty. If you aren't from the UA, you are welcome to give it a try, but you won't be credited with winning the contest and non-UA IP addresses are subject to blocking if they are abusive.

Report Victories, Ask Questions

Send your victory reports and questions (and requests for hints) to info -at- uacompsec.org.

Hard Challenge Results

Winner: Silviu Smarandache [Thu, 14 Feb 2008 11:53:49 MST]
1st runner up: Keith Larrimore [Thu, 14 Feb 2008 15:55:00 MST]
2nd runner up: Todd Knight [Fri, 15 Feb 2008 11:46:05 MST]

If you're enjoying the challenge, don't stop just because someone else got there first! Maybe we'll even list people in order of time they reported the solution, or maybe your solution will be more elegant. We'll discuss the different solutions at the meeting on Tuesday and post them afterwards.

Solution

Solutions are available here.

Added 2008-02-12 by Justin Samuel,
Updated 2008-02-19 by Justin Samuel, University of Arizona Computer Security Club.