Google CTF - Authentication Bypass
Рет қаралды 117,021
3 жыл бұрынHang with our community on Discord! johnhammond.org/discord
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: paypal.me/johnhammond010
GitHub: github.com/JohnHammond
Site: www.johnhammond.org
Twitter: / _johnhammond
@theRealWhexy 3 жыл бұрын
First to know in MySQL, unless the string is a number ('123', '-42') or the strings starts by a number, every other string equals 0 (or FALSE). That makes password = 'username' = 'anything' be true in this way: the DB system fill Michelle's password into the where clause, it becomes 'MichellePassword' = 'username' = 'anything'. Then, 'MichellePassword' = 'username' is 0(false), and 0 = 'anything' is true because the string 'anything' is calculated as an 0! And finally the where clause makes a funny result --> True. That makes the attack success.
@_JohnHammond 3 жыл бұрын
Oh WOAH! Okay, THAT is awesome! Thanks for helping clarify that. I never exactly understood it 1000%. Pinning your comment so other viewers get a more solid explanation :)
@markgentry8675 3 жыл бұрын
nice one! thanks for the explanation.
@hackndo6891 3 жыл бұрын
@@_JohnHammond If we wanna be a little bit more precise, it is password = `username` = 'anything'. Note the backticks on the "username" field. It's because the key of the passed object is username, and backticks indicate it's a column name, not a value. Thus, when evaluating, MySQL will resolve password column as Michelle's password, let's say "MichelleP4ssword" `username` will be evaluated as "michelle", and "anything" will stay "anything". If you put password[password]=anything, then the `password` column will be replaced with "MichelleP4ssword" ending with this evaluation: "MichelleP4ssword" = "MichelleP4ssword" = "Anything". First, "MichelleP4ssword" = "MichelleP4ssword" will be true, and then, true = "Anything" will be false, so it doesn't authenticate. That's why it's working with "username" or "id", but not with "password".
@BrainFood155 3 жыл бұрын
Wow! That bizarre!!
@juliengrijalva8606 3 жыл бұрын
@@hackndo6891 So is this also the reason it didn't work with admin-admin, because "admin"="admin" returns true, and admin is both username and password?
@jfkz2000 3 жыл бұрын
John, never worry about video length when making these. We like to see your learning process. It helps us become better. I used to hack in the 90's and after the family i never had time. Just now getting back into it! Keep up the good work. Kudos to you! \
@trev1980x 3 жыл бұрын
Yup, if anything a bit more digging would have been good in this case. I don't feel like this video had a real conclusion :( I'm still a bit lost as to why password[password]="xyz" doesn't work.
@jongalloway4104 3 жыл бұрын
I completely agree! Watching how you think through things helps me learn how to do the same. You told everyone when you captured the flag, whoever didn't want to keep watching could stop 🙂
@krztix 3 жыл бұрын
damn in the 90's you coming back from that http password cleartext era xD
@clemsonfan53089 3 жыл бұрын
I agree 100%.. Let the video be long.. Watching you go down these rabbit holes, helps us understand the hacker mentality and the different ways to solve problems. Love your vids!
@allokrvlastnamesareoverrat4914 3 жыл бұрын
That "boring and stupid" part at the end was exactly what I'd love to see more of
@vladosononame6376 2 жыл бұрын
I come here to write same comment
@AhrenBaderJarvis 3 жыл бұрын
Honestly I found the part at the end (that you said was so boring) where you were exploring why that worked to be the most intriguing part. 😁
@seanolson4582 3 жыл бұрын
Hey the end where you are trying to understand what’s going on is just important. It’s not stupid. You are showing people how to find answers and learn
@michaelogrady4435 3 жыл бұрын
Watched until the end because im here to learn, love the extended cut.
@grandmaashley 3 жыл бұрын
grandma approved
@RobGcraft 3 жыл бұрын
I see you everywhere...
@Philbertsroom 3 жыл бұрын
I really like these videos. You reading through write ups and explaining your thought process is really informative. Good job keep it up!
@Luxgil 3 жыл бұрын
Watching you trying to learn something isn't boring, I actually enjoy to watch that. Good job and a nice video.!
@DarknessLPs 3 жыл бұрын
John, I am getting into cybersecurity as a new job and I actually really appreciated seeing how you looked up information to try to figure out how things were working at the end of the video. I appreciated it for 2 reasons, 1, it shows how to find the cause of a security flaw (and therefore how it might be patched) and 2, it shows the actual logic on why the method worked in the first place (pretty much an exercise in "how" to think about it rather than just stopping at "it works, so why do I care why it works?").
@tvathome562 2 жыл бұрын
Even if its someone else's work its still John's ability to work through, digest and express ideas in a easy to understand way that keeps the viewers coming back.
@reaperkilledyou9669 3 жыл бұрын
John! Dude first off just wanna say I love your videos
@ngonx5051 3 жыл бұрын
I was also really curious as to why this bypass worked so I did a little digging. By using the "mysql.format" function with the nodejs library and passing in the SQL statement from the source code with the two input parameters that would have come in from the request (with the password coming in as an object), it returns the following query: Select * from users where username = 'michelle' and password = `username` = 'whatever'. The issue comes with the comparison having the multiple equals signs, which will always evaluate to true with string comparisons based on the order that MySQL evaluates such a statement (there are some stack overflow threads that explain this better than I can). I think the whole point of the challenge was that passing in an object into the prepared statement would produce a scenario where it adds this extra = to the password checking part of the query, rendering it useless.
@sgaleta 3 жыл бұрын
Could you point to the stack overflow threads, I couldn't find them and I'm interested
@ngonx5051 3 жыл бұрын
@@sgaleta I think this one explains it in a really clear, concise manner stackoverflow.com/questions/19214675/why-does-select-a-b-c-return-1-in-mysql
@J0R1AN 3 жыл бұрын
Great explanation, but I have one small question left. Why at 16:28 does username=admin not work? To my understanding it should just log you in as the admin user right?
@masamune5710 2 жыл бұрын
@@J0R1AN I think it’s because the password for is also admin
@masamune5710 2 жыл бұрын
To elaborate, the password=‘username’ would evaluate to true (which is evaluated as 1 in MySQL), which would be compared to “whatever” as “1=0(false)”, which would ultimately return false
@brianb5723 Жыл бұрын
I may not speak for everyone but hearing your thinking process when going down the rabbit hole is what taught me the most in this video. Thank you!
@inimicalpart 3 жыл бұрын
Very cool video! Was here for the premiere and IT. WAS. AWESOME
@elderorozco-ochoa5249 3 жыл бұрын
Thank you so much for uploading your videos! I'm super new into the tech world and am learning so much from. Although I don't know 100% of what you're talking about it makes me curious and I start searching up these words. Thank you John !!!
@DCLEE-co3dj 3 жыл бұрын
I agree John 95% of your support group is here to learn so dont worry about surfing the net making a video too long because the whole process helps all of us learn new methods, tricks and valuable information for the long haul. Thanks for adding me on LinkedIn recently. Another great video my friend.
@deepakrana9872 3 жыл бұрын
I also love finding out why a technique work and your video helps me a lot to learn many stuffs
@AshleyHier 3 жыл бұрын
Hi John, Love the channel and the videos. You seem to have a great eye for exploitable aspects of the code during the ctf you get the job done. I would much prefer a longer format where you dig deeper into the node source given in the challenge prior to retrofitting write ups. Possibly you could run the code locally, step through with breakpoint debugging. Would also love to see an 'alarm bells ringing when I see this' cheat sheet per domain server stack / language. Keep the good content coming!
@Thebloggermustdie 3 жыл бұрын
I really liked this video because it shows the process of exploring how to get the answer and not just the flag. to me is more beneficial to know the process you go thought learning how things work than just getting the answer I think you should do more like these. thanks john
@suyogdahal8185 3 жыл бұрын
This is too good. I am entertained by this type of stuff than other regular videos where you get to the point without any trouble. And let the videos be hours long it does not matter.
@Slenkz 3 жыл бұрын
Definitely my new favorite channel, great content ❤️
@tsarprince Жыл бұрын
What an amazing video John! Thankyou so much for such content.
@ca7986 3 жыл бұрын
Love the end learning part! ❤️
@chiko3603 3 жыл бұрын
Bro i'm sure most of us are learning lot of stuff from ur videos, and we r here because of the way u explain things so don't worry about the writeup being urs or no, i prefer watch one of ur videos than reading an article
@gingercam3127 3 жыл бұрын
I learn sooo much from your videos! Thank you
@jacoblobo95 3 жыл бұрын
I'm doubtful anybody ever can or has gotten to a point where they'll never have to look something up to solve every CTF challenge. Considering your audience, myself included, we're always coming across something that makes redefine our understanding and makes us dig for why things work the way they do. I think this is the fun part, we're not just learning. We're constantly asking "How can I use these rules, this system to solve the challenge?" With how technical and dry all of this stuff can be, I think that's a key part of what makes it fun. Well, at least for me. It's a mystery waiting to be solved. Nobody wants to watch a mystery thriller where we jump from unsolved case to the criminal being arrested. I know, at least personally, I love watching how someone else uses critical thinking and deductive reasoning to find the answer. It's inspiring and fascinating. Anywho, thanks for the video! I really enjoyed this one more than usual and look forward to watching more!
@diegushio91 3 жыл бұрын
hey just a comment! @John Hammon the way you wondered on the internet, is something we all do and talk exactly like that just not otloud but it ends up being natural, and it's besides entertaining a good way of showing the process to new comers! so keep it natural, we love it! Suscribed
@whistletoe 3 жыл бұрын
The extended cut is awesome. Don’t worry about the length of the video!
@JesseBourretGheysen 3 жыл бұрын
You videos are teaching me so much! Thanks amigo
@ahmadzulfikark8486 3 жыл бұрын
I love your mindset which is amazing
@sasharofikrahmanie 3 жыл бұрын
thats what i like about you and your videos. you are awesome and humble at the same time. i learned so much from your videos and yourself. wholesome hacker and conetent creator 👏👏🙌🙌
@fatcatgaming695 3 жыл бұрын
this process of investigating and learning is great content, at least imo.
@ccelikanil 3 жыл бұрын
Pure genius. Thanks John
@jasonmikinskiwallet4308 3 жыл бұрын
This was not boring at all bro! Keep it up
@zarcher100 3 жыл бұрын
Great video man! Honestly the end helped me the most
@devotee9606 3 жыл бұрын
learned new thing about curl Thanks!!!!
@TobyDeshane 3 жыл бұрын
Nothing at all wrong with following the rabbit hole until you find a solution. I can't speak for others, but learning WHY these things work is part of why I watch these. By all means, throw down a point like you did where folks can get off the train, but don't feel obligated to cut the research short if it's still unknown. That's the most important part, IMHO.
@hackernews1059 3 жыл бұрын
thanks john for your effort
@creonte38 3 жыл бұрын
Time is necessary to learn and don't worry about it! Amazing try! Try hard always!! Thanks for sharing your knowledge with us!
@alhasanmohammed4378 3 жыл бұрын
Dude never stop making videos please ♥️
@rami3sam 3 жыл бұрын
another awesome video thank you john
@ihatethesensors 3 жыл бұрын
You kick ass man! I love your vids.
@kraemrz 3 жыл бұрын
I like when you wonder around and trying to understand whats happening and explaining to us
@alexgenuis02oninstagram96 2 жыл бұрын
👆👆 for your account recovery he's the best and reliable indeed you're trustworthy💯💯
@sentinalprime8838 3 жыл бұрын
amazing video john you rock
@yppjeevan 3 жыл бұрын
Don't worry about the length of your video... Because learning new things is itself interesting!!
@tdevzone2654 3 жыл бұрын
what a video, really thank you
@richardjones9598 3 жыл бұрын
Thank you!! Cant wait xD
@Kayajimaa Жыл бұрын
Hey John, tbh the last part was the most interesting one for me, not boring at all :-) also... I would've loved if you would have tried the prototype polution here aswell
@siddharthjohri2935 3 жыл бұрын
John the Don. Love ya.
@kaptainkrunch593 2 жыл бұрын
Agree with everyone, last part was fun to watch.
@gabrote42 2 жыл бұрын
1:18 I knew we would have retroactively hilarious Deltarune predictions
@RohanMukherjeeRoe 3 жыл бұрын
The string actually evaluates to: "Select * from users where username = 'michelle' and password = `username` = 'michelle';" I added a part in my writeup (at 21:26) explaining how I think it works, hope this helps :) Link: github.com/csivitu/CTF-Write-ups/tree/master/Google%20CTF/Web/Log-Me-In
@quangvo4563 3 жыл бұрын
Thanks for adding more information to that write-up, I understand it now. Not 100% but it's slowly sinking in XD
@healthyjibbit 3 жыл бұрын
Like always good video
@k0rtz376 3 жыл бұрын
Good stuff!!
@ArmyK9 3 жыл бұрын
Nested SQL query within a query. 👏
@SalimMahmood-killuminati 9 ай бұрын
what subjects/programmes best to learn to begin hacking?
@erickvond6825 2 жыл бұрын
Unless I'm mistaken Michelle is the password and when you parse it in the way you did the string works. I face-palmed when I figured it out. Admin's password is "admin" so it's logical that they did something overly easy for the flag account. Either that or it's including the password as a part of the username object.
@SaudAlfurhud 3 жыл бұрын
I love how you explain things about the code and how it works, is there any course you could recommend for beginner this fields ?
@deepergodeeper7618 3 жыл бұрын
x86 Assembly its easy for noobies to learn
@andycascade 3 жыл бұрын
Still don't get why select * from table where field=''='' gives all the table John, how about bonus episode with explanation about SQL type-cast weirdness and how vulnerable could it be?
@pzodeosrs 3 жыл бұрын
Some clarification: SELECT * FROM table WHERE field=''='', evaluates the WHERE clause for each record/row. With the assumption that 'field' is a string type, let's say for the first row, 'field' has a value of 'first'. Then for the first row, the WHERE clause evaluates to 'first'=''=''. The first part of the expression is 'first'=''. This is an equality comparison between two (clearly distinct) strings. The result is obviously false (which is the same as 0). The second part of the expression is then evaluated, as 0=''. For the purpose comparing numeric values and strings, strings are implicitly casted to said numeric type. Strings that are a numeric value will be casted as that value. For example '32' will be casted as 32. Strings beginning with a numeric character and containing non-numeric characters will be casted as the numeric value leading the string. For example '4somestring' will be casted as 4. All other strings are casted as 0. Returning to our expression, this means that the second comparison becomes 0=0 (since an empty string has no numeric characters), resulting in true. Thus, we can return this record/row. As becomes apparent, for all records, unless the value contained within 'field' is an empty string, this WHERE clause will always evaluate to be true. If a record has a 'field' value of an empty string, then the expression evaluates as follows: ''=''='' -> true/1='' -> true/1=0 -> false/0. So, if every record in your table has a value for 'field' that is a non-empty string, you will return them all.
@pzodeosrs 3 жыл бұрын
I should add that this is an example of terrible language design and I do not advocate using MySQL for this reason, amongst many others.
@theprateekmahajan 3 жыл бұрын
Rabbit holes are good. They exists so we can learn something new!
@nadavram7322 3 жыл бұрын
Good stuff! :) THM Throwback network vid coming soon? 🖥
@_JohnHammond 3 жыл бұрын
Yes (⌐■_■)
@parikshitsingh9847 3 жыл бұрын
Hey man, have you got the logic behind that query now? Can you explain it?
@chrishammer5925 3 жыл бұрын
I have to tell you to "slow the F down" sometimes and pause you... lol I need to visualize things, which means I may need to read what you read outloud twice. Not sure if possible, but if there is a way you could describe a visualization of things, like what that pinned comment means, it would be amazingly helpful on how it works. Appreciate your videos mate
@facebookdatasciencecambrid3885 3 жыл бұрын
Good vid. Not bad.
@mahmednabil2429 3 жыл бұрын
it's a very helpful and cool vedio
@eugenekolodenker9976 3 жыл бұрын
My suggestion is to start a local copy of the challenge as soon as possible. Then start debugging the program, i.e., put prints near the query to understand what's happening and what's actually being sent to MySQL.
@wesauis 3 жыл бұрын
on SQL, ` can be used to mark the value as the name of a column or table password=`password` it is the same as password=password, basically it is comparing if the value of the password column is equal to itself, what will always be true password = `password` = 1 will be evaluated to true = 1 which is the same as true = true, that is, true
@wesauis 3 жыл бұрын
Very confusing, but it works
@jannikmeissner 3 жыл бұрын
Gives me vibes of "Silicon Valley": "Your username is password and your password is password?"
@anshulsharma4720 2 жыл бұрын
Hey John, if I wanna practice these ctf challenges now, I mean I wanna upsolve them how can I do ? Could you please provide me any hint or something, please help.
@jimbuckley341 3 жыл бұрын
Does anyone know a video or link to a video of Johns that explains the process of downloading/extracting the page source? It was gone over around 2:25 in the video but he said 'hes already downloaded the source' and simply extracts it. i've tried this in the past and usually get the html source after the code has been interpreted by a browser, rather than the raw source like he has. thanks!
@krztix 3 жыл бұрын
at 7:25, i don't see any checks for the given parameters u and p can't you do a SQL Injection here?
@aeyageee 2 жыл бұрын
hey may I know what OS were you using in this video?
@louiscoetzee7744 3 жыл бұрын
I wish you finished figuring this out - I want to know why its working the way it is. Also doesn't make sense to me.
@samcameron6734 3 жыл бұрын
So, instead of setting password to the correct string, you pass an object that evaluates to true?
@leiroos Жыл бұрын
amzg claps and TY
@no-qm1gs 3 жыл бұрын
What distro are you using ?
@Zecr 3 жыл бұрын
Just play Fearless at the end :)
@ksrele Жыл бұрын
I can't find video where you solve first chalange ("Hardware"), can you send me a link to that video please?
@akustevanry4386 3 жыл бұрын
In my opinion when pass object variable with keys into js it will without qoute, so it translate into sql language to this 'select * from users where username="michelle" and password=username' it means 'password' equal to 'password' in same row where username="michelle" #cmiww
@kennyng6568 3 жыл бұрын
Hello, john. I am new here. May I ask how do you got a build output while editing your python script (starts from 14:06 to 15:04)
@ungarbagebin 3 жыл бұрын
There is a package called buildview, it can be used to show build output in a separate file as he does here.
@ungarbagebin 3 жыл бұрын
you just have to hit the build command(Ctrl+B) again every time you change the script.
@kennyng6568 3 жыл бұрын
Thx so much
@naveennirban 3 жыл бұрын
not boring dude at all
@SimonHuenecke 3 жыл бұрын
John, we both know it’s pronounced ”sea-surf”
@z08840 3 жыл бұрын
"username=michelle&password[username]=" - works just fine and you can do it just from chrome using devtools
@bhagyalakshmi1053 10 ай бұрын
Erorr cocokis cap to pist ?
@AniltonNeto 3 жыл бұрын
16:38 to 19:53 has the CTF flag :D
@sadmanabrarrafin7573 2 жыл бұрын
what about 1 'or' 1 '=' 1 in password field and michell in username field SQL Query: SELECT * FROM column_name where username = michell AND password = 1 'or' 1 '=' 1 1 is not the valid password, but 2nd statement is true ( 1 = 1 )
@alexgenuis02oninstagram96 2 жыл бұрын
👆👆 for your account recovery he's the best and reliable indeed you're trustworthy💯💯
@rakenso 3 жыл бұрын
How bad did you cry John? your eyes looks red.
@helluci6449 3 жыл бұрын
So 'password[username] = anything' means whatthefu..? :D
@gabrote42 2 жыл бұрын
21:13 I don't mind
@Spongman 3 жыл бұрын
Talking about the code and your thought process, not boring. On the other hand... constant interruptions talking about the length of the video, how we can stop if we want, and how we may be perceiving it...
@prasadbroo 3 жыл бұрын
Bro you should make ethical hacking series to learn haking
@realslimchaggy 2 жыл бұрын
you look like ippsec 🤔
@code4720 3 жыл бұрын
who else is still noob
@allahschild9088 3 жыл бұрын
commen for ytalg
@Hackedpw 3 жыл бұрын
K
@cdbcbd4930 3 жыл бұрын
login mi.chelle
@jialx 3 жыл бұрын
I don't get this video. Are you acting like you don't know the answer like a recreation of what someone would do for this CTF or is this you doing it for the first time? Just because you keep flipping from not knowing and exploring to being certain and just putting in the answer in seemingly by accident... I am genuinely confused.
@roberts1711 3 жыл бұрын
Not watched this yet. But last 2 i watched this guy couldnt do but basically made a vid "teaching" while following another persons write up. If same happens here im giving up on this channel