no pass needed

Filtered SQL injection


It's all about who you know and I know 'admin'.


  • The username is reflected back into the username field (its value attribute) after failed authentication

  • By fuzzing username inputs, we can find that anything after a whitespace is removed.

  • Furthermore, 'admin' is replaced non-recursively.

We can exploit an SQL injection in the username parameter. The payload is:


This will translate to the query:

SELECT * FROM users WHERE username='admin';#

The flag is flag{wh0_n3ed5_a_p4ssw0rd_anyw4y}.

Last updated