Summary

500pts - 0 Solves

my code is 100% bug free.
can you find the glitch ?
* only admin account has the flag.

source code is provided, authentication tokens are encrypted with AES-256-ECB with an encryption key and hmac key for each user stored in the database

Vulnerability

by looking at the source code, the flag is printed at this function from conf.php file

if (!function_exists('isLogged') ){
    function isLogged($Auth,$User){
        global $con;
        $sql = mysqli_query($con,"SELECT * FROM tab WHERE user='".mysqli_real_escape_string($con,$User)."' ") ;
        if(mysqli_num_rows($sql)!==0){
            $AuthKey=getAUTHkey($User);
            if(hmac_verify($Auth,$AuthKey)) {
                $bundle=base64_decode($Auth);
                $message = mb_substr($bundle, 65, null, '8bit');
                $userData=explode("|",decrypt_msg($message,$AuthKey) );
                include 'GLITCH/getSecrets.php';
                return array('OK',$qwertyuiop[$userData[0]]);
            }
        }
        return array('NO','');
    }
}

this function is called from ajax.php here

if(@$_POST['Auth'] AND @$_POST['User']){
    out(isLogged($_POST['Auth'],$_POST['User']));
}

at first look, the code seems pretty secure, the aes encrypted data cannot be tampered in anyway since there's HMAC,
so in order to be authenticated, we either need a legitimate token or to make mysqli_num_rows($sql) returns something other than 0
by default, mysql max query size is at 16mb, and mysql query will fail if the query size > 16mb, so in php it will return NULL which is different than 0
and since we control part of the query, we can send a username with randombytes > 16mb this will enable us to pass this check if(mysqli_num_rows($sql)!==0){
this way getAUTHkey($User) will also return NULL, which enables us to forge any authentication token with NULL key for both HMAC and AES

Full exploit here

https://github.com/rekter0/3kCTF2020/blob/master/glitch-sploit.php