The purpose of this challenge is to bypass login and gain access to the ADMIN page. Before heading there, it’s good practice to click around and look for hints left by the challenge creator. Lo and behold, there's a mention of SQL hinting at a potential SQL injection vulnerability.
I’ll be using the Burp Suite browser to proxy traffic, which will then be recorded in the HTTP history tab.
STEPS TO SOLUTION
- Head back to admin login page and submit credentials with USERNAME=admin and PASSWORD can be left empty since that's where injection will be sent.
- Focusing on the highlighted POST request and send it to the burp repeater to modify our request.
if you've never worked on SQL injection that's fine there is a PWNSOME REPOSITORY(get it? pwn + awesome) called Payload All The Things it has different payloads for different web vulnerabilities.
The repository explains the vulnerability great. To elaborate on the payload - ' OR 1=1 --
'
- closes the input string so we can introduce the always true conditional.
OR 1=1
- always true condition, so the query will return results regardless of the criteria.
--
- comments out the remaining query in this case the closing quote so our former always true conditional OR 1=1
works.
if you noticed the request has the debug parameter it's a Boolean 0 or 1(it can be any number but 0) it shows the query we sent which makes it easier to see how to query is sent to the database.
FLAG: picoCTF{s0m3_SQL_c218b685}
PWNSOME RESOURCES:
https://portswigger.net/burp
https://github.com/swisskyrepo/PayloadsAllTheThings
Top comments (0)