Write-up author: jon-brandy
If the flag is not displayed after completing this challenge, try clearing your cookies.
Cookies set by other challenges may prevent the flag from displaying properly.
Can you beat the filters? Log in as admin http://jupiter.challenges.picoctf.org:40791/ , http://jupiter.challenges.picoctf.org:40791/filter.php
- You are not allowed to login with valid credentials.
- Write down the injections you use in case you lose your progress.
- For some filters it may be hard to see the characters, always (always) look at the raw hex in the response.
- sqlite
- If your cookie keeps getting reset, try using a private browser window
- First, open the following website ->
http://jupiter.challenges.picoctf.org:41560/
. - Since they want us to login as
admin
, let's try to input the username and password asadmin
.
- Turns out it's not that easy, let's try a sql injection by input the username as
admin'--
and the password asadmin
.
- We made it to round 2!
- Now try to input the same value as round 1.
- Seems, it doesn't work out.
- Based from the description, we can see what does the current round filtered.
- Now try to add
/filter.php
at the url.
- It is known that the website performs filtering on characters --, now let's try to input the username as
admin'/*
and the password asadmin
.
- Turns out, we made it to round 3!
- Now let's open the
filter.php
again on this round.
- Seems, we can input the same value as round 2, because they still not filter the
/*
characters. - Try to input the same value as round 2.
- We made it to round 4!
- Let's open the
filter.php
again.
- It seems, we can't use the
admin
word again, and somehow we have to bypass it. - The easiest way to bypass it, is by using concatenation ->
||
. - Now, let's try to input the username as
adm'||'in
and the password asa
or any character you want.
- Seems, it's not work out. Let's try to comment the
'AND PASSWORD etc...
. by using the/*
. - So the query will look like this:
SELECT * FROM users WHERE username='adm'||'in'/* AND password='a'
- Try to input the username as
adm'||'in'/*
and the password asa
or any character you like, because the password is gonna be a comment, so it won't give any affect.
- We made it to round 5!
- Next, check the
filter.php
again.
- Seems, we can try to input the same value again as round 4.
- Now open the
filter.php
file.
<?php
session_start();
if (!isset($_SESSION["round"])) {
$_SESSION["round"] = 1;
}
$round = $_SESSION["round"];
$filter = array("");
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
if ($round === 1) {
$filter = array("or");
if ($view) {
echo "Round1: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 2) {
$filter = array("or", "and", "like", "=", "--");
if ($view) {
echo "Round2: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 3) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
// $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round3: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 4) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
// $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round4: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 5) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
// $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round5: ".implode(" ", $filter)."<br/>";
}
} else if ($round >= 6) {
if ($view) {
highlight_file("filter.php");
}
} else {
$_SESSION["round"] = 1;
}
// picoCTF{y0u_m4d3_1t_96486d415c04a1abbbcf3a2ebe1f4d02}
?>
- Finally, we got the flag!
picoCTF{y0u_m4d3_1t_96486d415c04a1abbbcf3a2ebe1f4d02}