Lobotomy Team

RuCTFE 2012 -- Buster(Patch)

Buster Write-up

I made patch only

Take buster.jar
Unzip buster.jar
Download jd-gui for decompile java classes
Look at the code of server.
File buster/server/data/base.java contains next code: 

Statement stat = conf.conn.createStatement();
stat.executeUpdate("insert into users (name, password) values('" + name + "', '" + password + "');");
and 

Statement stat = conf.conn.createStatement();
ResultSet rs = stat.executeQuery("select * from users where name='" + name + "'and password='" + password + "';");
As far as you can see there is SQL injection.
Java preparedstatement should save us
Change insert code to:

String query = "insert into users (name, password) values(?,?);";
stat = conf.conn.prepareStatement(query);
stat.setString(1, name);
stat.setString(2, password);
stat.executeUpdate();
stat.close();

Change select code to:

String query = "select * from users where name = ? and password = ?;";
stat = conf.conn.prepareStatement(query);
stat.setString(1, name);
stat.setString(2, password);
ResultSet rs = stat.executeQuery(query);
Compile class:
javac buster/server/data/base.class

Update buster.jar
jar -uf buster.jar buster/server/data/base.class

restart service