Web Gauntlet

Point: 200

Category

Web Exploitation

Question

Can you beat the filters? Log in as admin http://jupiter.challenges.picoctf.org:44979/ http://jupiter.challenges.picoctf.org:44979/filter.php

Hint

• Hint 1: You are not allowed to login with valid credentials.

• Hint 2: Write down the injections you use in case you lose your progress.

• Hint 3: For some filters it may be hard to see the characters, always (always) look at the raw hex in the response.

• Hint 4: sqlite

• Hint 5: If your cookie keeps getting reset, try using a private browser window

Solution

Looking at the login form that the challenge was given, I knew that this is a SQL Injection vulns.

• Round 1/5

I've tried admin for both username and password but It didn't work. The server shown Invalid username/password and SELECT * FROM users WHERE username='admin' AND password='admin'.

In filter page I had Round1: or. Looking at the SQL command above, I'm gonna try to escape out of the single quote ', It means I want to ignore all this stuff ' AND password='admin'.Thus, I had the bypass like this username='admin';--'. The ; means that the end of the statement and the -- basically comments it out.

Then I've used admin';-- to get to round 2

• Round 2/5

In this round I had a filter like this Round2: or and like = --. I could see the -- in this filter so I decided to not give a -- in the payload, then I've tried this admin'; and It's worked.

• Round 3/5

This is filter for this round Round3: or and = like > < --. It's added a litle bit more but didn't change anything, so I've tried the same payload for the round 2 and It's worked.

• Round 4/5

This is filter for this round Round4: or and = like > < -- admin. It's added admin in the filter so I could not use admin to bypass. I've tried some but It did not work. I decided to level up my bypass using UNION statement. I had a payload like this SELECT * FROM users WHERE username='admin'/**/UNION/**/SELECT/**/*FROM/**/users/**/LIMIT/**/1;, From here, I've used /**/ to simulate the whitespace within this input and It's worked.

• Round 5/5

This is filter for this round Round5: or and = like > < -- union admin. It's added union to the filter so I couldn'n use union in the input. So I've tried to search for union attack in the Google and I led me to this link. Basically, I could use || to concatetane strings together. So, I've tried this adm'||'in'; for the input and finally, I could get the flag.

After all, I had all of the source code of the filter file and the flag.

<?php
session_start();

if (!isset($_SESSION["round"])) {
    $_SESSION["round"] = 1;
}
$round = $_SESSION["round"];
$filter = array("");
$view = ($_SERVER["PHP_SELF"] == "/filter.php");

if ($round === 1) {
    $filter = array("or");
    if ($view) {
        echo "Round1: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 2) {
    $filter = array("or", "and", "like", "=", "--");
    if ($view) {
        echo "Round2: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 3) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
    // $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round3: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 4) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
    // $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round4: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 5) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
    // $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round5: ".implode(" ", $filter)."<br/>";
    }
} else if ($round >= 6) {
    if ($view) {
        highlight_file("filter.php");
    }
} else {
    $_SESSION["round"] = 1;
}

// picoCTF{y0u_m4d3_1t_16f769e719ab9d3e310fd13dc1262ee1}
?>

Flag

picoCTF{y0u_m4d3_1t_16f769e719ab9d3e310fd13dc1262ee1}